Re: FreeBSD Squid 3.2 Reverse Proxy with HTTPS
Hi Dean, Just stumbled upon your post. I'm encountering the exact same issue as you with my freebsd 8.3 squid-3.2.13 server. Have you learned anything new on this issue? Best, Daniel -- daniel duerr | president | ouido.net d...@ouido.net | +1 (831) 531-2272 x103 Managed hosting services for Business ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD Squid 3.2 Reverse Proxy with HTTPS
On 09/05/2013 7:24 pm, Daniel Duerr wrote: Hi Dean, Just stumbled upon your post. I'm encountering the exact same issue as you with my freebsd 8.3 squid-3.2.13 server. Have you learned anything new on this issue? Best, Daniel -- daniel duerr | president | ouido.net d...@ouido.net | +1 (831) 531-2272 x103 Managed hosting services for Business ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Well Yes and No, I never did find the exact cause or fix, but when I tried the Squid 3.3 after the FreeBSD port was available on 9.1 the problem was gone. -- Thanks, Dean E. Weimer http://www.dweimer.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FreeBSD Squid 3.2 Reverse Proxy with HTTPS
I am stuck in a kind of desperate situation, I have been managing several FreeBSD systems as forward proxy servers with Squid on them for 13 years, and a few with reverse proxies for around 4 years. But for the last few months, I have been struggling with HTTPS uploads failing on the reverse proxies. I have personally built and destroyed over 20 virtual machines, and spent countless hours on this. Every time duplicating the problem, no matter how basic I strip the process down, I have tried FreeBSD 8.3, 9.0, 9.1, with Squid 3.2.6, 3.2.7, 3.2.8, and a couple different versions of the Squid 3.1 port. Everything installs without errors, services all start, pages load all looks great, until you try to do a POST on HTTPS. I thought at first it was just when the size was over a certain amount, but that turned out to be a wrong assumption. I have a test scenario that can duplicate the problem with exact same results every time. In the end my test is just simple HTML form that submits a file to a PHP script that saves it. I have a directory of 7 .png image files that are screenshots from some documentation I wrote for our PC support desk. 3 of the files upload successfully, and 4 of them fail. Its the same 3 and 4 every time, I can't find any thing in common between that ones that succeed and fail. They will all work if you use http going to the same exact HTML form and PHP script. If I remove Squid and go directly to the Apache process using HTTPS all files upload fine. After a lot of debugging, and painstakingly reading very long Squid debugging logs. I found out that Squid appears to continue waiting for the end of the file after the client browser has stopped sending data, for almost 5 minutes, before just returning complete, and not actually submitting the file to the Apache process. If you actually stop the browser while its sitting there waiting for a response, the file gets submitted to Apache process and saves successfully. I have a couple existing production servers that are running 9.0, with Squid 3.1.21, that are working, but I am in desperate need of updating them to meet requirements. I have posted several messages to the Squid mailing list, received some initial suggestions that didn't get anywhere, but I haven't been able to get any more help. I am hoping to find someone else out there that is running FreeBSD with Squid in a Reverse proxy setup with HTTPS that has not ran into this issue and is willing to share configurations with me, so I can possibly find out what's wrong with my setup. Or if you have also ran into this issue, perhaps we can share notes and possibly find something to will make it possible to file a bug report somewhere. Even though I can reproduce this without fail none of my debugging output actually gives an error, it just doesn't behave correctly. -- Thanks, Dean E. Weimer http://www.dweimer.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Squid 3.2 Reverse Proxy Problems on FreeBSD
Is anyone running else running the Squid 3.2 branch on FreeBSD as a reverse proxy? Specifically using HTTPS and uploading data? The reason I ask, I have a server Running FreeBSD 9.0-p4 and Squid 3.1.21, all works I tried upgrading to a new server running FreeBSD 9.1 with Squid 3.2.6, thought everything was working, then we started getting complaints on to of the back end applications. Tracked the issue down to any submit forms on HTTPS, if somewhere between 2.2k and 3k it breaks, if the post is under that very small size instant success, if over that size the browser churns for a few minutes then returns a Bad Request Your browser sent a request that this server could not understand. On the Squid side there is a TCP_MISS_ABORTED log entry that gets logged. The problem doesn't show up on HTTP, I can upload large files, tested up to 50M. I just wanted to see if any one else is successfully doing this, maybe something specific to my server build and I just need to start over. Both servers have been built from source, both using clang, including ports, except on gcc, open-vm-tools, and squid. They are both running on the same cluster of ESX 4.1 servers. Other than the FreeBSD version and Squid version the other difference is ZFS used on the file system for the FreeBSD 9.1 and UFS used for the FreeBSD 9.0-p4. I have already started a thread on the Squid mailing list on the issue as well, but haven't gotten any help yet. But now that I have the production setup going through the old server again, I can do some more testing and enable debugging and possibly get some useful information as to whats happening. -- Thanks, Dean E. Weimer http://www.dweimer.net/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Anyone using squid and pf?
Damien Fleuriot skrev 2012-11-29 00:28: # 1/ redirect web traffic to the proxy $proxy on port $proxyport rdr in on $int_if inet proto tcp from !$proxy to any port 80 - $proxy port $proxyport tag rdr_proxy # 2/ redirect FTP traffic to the ftp-proxy running on the local machine on port 8021 rdr in on $int_if inet proto tcp from $int_if:network to any port 21 - 127.0.0.1 port 8021 tag rdr_ftp # 3/ access rule to allow traffic from the local net to your proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy # 4/ access rule to allow traffic from the local net to your FTP proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp # 5/ access rule to allow your proxy to do whatever it wants in a very limited fashion pass in quick on $int_if inet proto tcp from $proxy to any port { 80 443 } flags S/SAFR Hello Damien I'm concentrating on getting the web traffic to work first. I've changed rule #1 as you can see below but pf returns a syntax error. # redirect www trafic to proxy rdr in on $int_if inet proto tcp from !$proxy to any port $proxy_services - $proxy $proxyport tag rdr_proxy My variables are: proxy = 172.18.0.1 proxy_services = { 21, 80 } proxyport=8080 Am I supposed to ad rule #5 as well or is it a suggestion? Thanks /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Anyone using squid and pf?
On 30 Nov 2012, at 08:30, Leslie Jensen les...@eskk.nu wrote: Damien Fleuriot skrev 2012-11-29 00:28: On 27 November 2012 22:01, Leslie Jensen les...@eskk.nu wrote: Well, that depends on what you want to do. If you want FTP traffic to go to ftp-proxy running on the firewall, then redirect to 8021. If you want it to go to your squid proxy, then send it to port 8080 on $proxy. Let's redo your redirects correctly. I'll expand upon Volodymyr's idea of not confusing normal rules with ones matching a packet that was redirected, through the use of tags. # 1/ redirect web traffic to the proxy $proxy on port $proxyport rdr in on $int_if inet proto tcp from !$proxy to any port 80 - $proxy port $proxyport tag rdr_proxy # 2/ redirect FTP traffic to the ftp-proxy running on the local machine on port 8021 rdr in on $int_if inet proto tcp from $int_if:network to any port 21 - 127.0.0.1 port 8021 tag rdr_ftp # 3/ access rule to allow traffic from the local net to your proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy # 4/ access rule to allow traffic from the local net to your FTP proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp # 5/ access rule to allow your proxy to do whatever it wants in a very limited fashion pass in quick on $int_if inet proto tcp from $proxy to any port { 80 443 } flags S/SAFR I liked Volodymyr's original intent behind the rdr pass, the use of tags here allows you to setup actual pass/block rules and still match packets coming from a redirect. This has many advantages, including: - quick keyword - flags matching - use of labels to keep stats, if you'd like to Well basically it only has advantages. Let me know if that helped. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Thank you Damien. I'll try out your suggestions and report back. Thanks :-) /Leslie The rdr rules should read: Rdr in on $int_if from !$proxy to any port 80 tag rdr_proxy - $proxy port $proxyport Notice the packet gets tagged before the - destination syntax. Otherwise, should be just fine. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Anyone using squid and pf?
On 27 November 2012 22:01, Leslie Jensen les...@eskk.nu wrote: Volodymyr Kostyrko skrev 2012-11-26 21:50: 26.11.2012 20:40, Leslie Jensen: Rules from pf.conf # macros ext_if=xl0 int_if=bge0 tcp_services={ 22, 993, 5910:5917 } tcp_priv_services={ 389, 443 } proxy_services = { 21, 80 } icmp_types={ echoreq unreach squench timex } internal_net = 172.18.0.0/16 proxy = 172.18.0.1 proxyport=8021 # tables table goodguys persist table sshguard persist # options set block-policy return # ports are closed but can be seen set loginterface $ext_if set skip on lo0 # scrub scrub in rdr pass proto tcp from any to any port ftp - 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services - $proxy port 8080 I could be wrong here but I think you have a loop. You are redirecting from local interface to local interface i.e. the result of redirect is still subject for redirect. Could you try one of the following: 1. Make this a `rdr in on $int_if`. 2. Make this a `rdr pass ... - 127.0.0.1 port 8080`. I prefer this way so port for transparent forwarding is unreachable except when explicitly redirecting to it. Personally I newer allow such ambiguity in my configs. #1 gives a syntax error when I try to load it. #2 My intention is to redirect only ftp traffic with this rule so that's why I use port 8021. Do you mean that I should redirect even ftp traffic to port 8080? Thanks! /Leslie Well, that depends on what you want to do. If you want FTP traffic to go to ftp-proxy running on the firewall, then redirect to 8021. If you want it to go to your squid proxy, then send it to port 8080 on $proxy. Let's redo your redirects correctly. I'll expand upon Volodymyr's idea of not confusing normal rules with ones matching a packet that was redirected, through the use of tags. # 1/ redirect web traffic to the proxy $proxy on port $proxyport rdr in on $int_if inet proto tcp from !$proxy to any port 80 - $proxy port $proxyport tag rdr_proxy # 2/ redirect FTP traffic to the ftp-proxy running on the local machine on port 8021 rdr in on $int_if inet proto tcp from $int_if:network to any port 21 - 127.0.0.1 port 8021 tag rdr_ftp # 3/ access rule to allow traffic from the local net to your proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_proxy # 4/ access rule to allow traffic from the local net to your FTP proxy pass in quick on $int_if inet proto tcp flags S/SAFR tagged rdr_ftp # 5/ access rule to allow your proxy to do whatever it wants in a very limited fashion pass in quick on $int_if inet proto tcp from $proxy to any port { 80 443 } flags S/SAFR I liked Volodymyr's original intent behind the rdr pass, the use of tags here allows you to setup actual pass/block rules and still match packets coming from a redirect. This has many advantages, including: - quick keyword - flags matching - use of labels to keep stats, if you'd like to Well basically it only has advantages. Let me know if that helped. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Anyone using squid and pf?
Volodymyr Kostyrko skrev 2012-11-26 21:50: rdr pass proto tcp from any to any port ftp - 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services - $proxy port 8080 I could be wrong here but I think you have a loop. You are redirecting from local interface to local interface i.e. the result of redirect is still subject for redirect. Could you try one of the following: 1. Make this a `rdr in on $int_if`. 2. Make this a `rdr pass ... - 127.0.0.1 port 8080`. I prefer this way so port for transparent forwarding is unreachable except when explicitly redirecting to it. Personally I newer allow such ambiguity in my configs. Thanks! I'll try it out. I need to wait until tonight, the machine is in use at the moment. #1 I see your point. #2 this rule is for intended ftp traffic. That's why I'm sending to another port number. /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
RE: Anyone using squid and pf?
[...] Rules from pf.conf # macros ext_if=xl0 int_if=bge0 tcp_services={ 22, 993, 5910:5917 } tcp_priv_services={ 389, 443 } proxy_services = { 21, 80 } icmp_types={ echoreq unreach squench timex } internal_net = 172.18.0.0/16 proxy = 172.18.0.1 proxyport=8021 ^ No whitespace here # tables table goodguys persist table sshguard persist # options set block-policy return # ports are closed but can be seen set loginterface $ext_if set skip on lo0 # scrub scrub in rdr pass proto tcp from any to any port ftp - 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services - $proxy port 8080 ^ Whitespace here. Maybe that's the issue here? # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from !($ext_if) to any - ($ext_if) [...] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Anyone using squid and pf?
On Nov 27, 2012, at 6:34 PM, Doug Sampson do...@dawnsign.com wrote: [...] Rules from pf.conf # macros ext_if=xl0 int_if=bge0 tcp_services={ 22, 993, 5910:5917 } tcp_priv_services={ 389, 443 } proxy_services = { 21, 80 } icmp_types={ echoreq unreach squench timex } internal_net = 172.18.0.0/16 proxy = 172.18.0.1 proxyport=8021 ^ No whitespace here # tables table goodguys persist table sshguard persist # options set block-policy return # ports are closed but can be seen set loginterface $ext_if set skip on lo0 # scrub scrub in rdr pass proto tcp from any to any port ftp - 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services - $proxy port 8080 ^ Whitespace here. Maybe that's the issue here? Erm, working as intended, Doug. He's redirecting from his internal net to any port defined as proxiable, to his $proxy machine on port 8080. Looks good to me. # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from !($ext_if) to any - ($ext_if) [...] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Anyone using squid and pf?
Doug Sampson skrev 2012-11-27 18:34: [...] Rules from pf.conf # macros ext_if=xl0 int_if=bge0 tcp_services={ 22, 993, 5910:5917 } tcp_priv_services={ 389, 443 } proxy_services = { 21, 80 } icmp_types={ echoreq unreach squench timex } internal_net = 172.18.0.0/16 proxy = 172.18.0.1 proxyport=8021 ^ No whitespace here # tables table goodguys persist table sshguard persist # options set block-policy return # ports are closed but can be seen set loginterface $ext_if set skip on lo0 # scrub scrub in rdr pass proto tcp from any to any port ftp - 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services - $proxy port 8080 ^ Whitespace here. Maybe that's the issue here? # ext_if IP address could be dynamic, hence ($ext_if) nat on $ext_if from !($ext_if) to any - ($ext_if) [...] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Thanks! No if you see I have a $proxy and a $proxyport (I shall rename this one. It's confusing, I know) So the whitespace is not the problem. /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Anyone using squid and pf?
Volodymyr Kostyrko skrev 2012-11-26 21:50: 26.11.2012 20:40, Leslie Jensen: Rules from pf.conf # macros ext_if=xl0 int_if=bge0 tcp_services={ 22, 993, 5910:5917 } tcp_priv_services={ 389, 443 } proxy_services = { 21, 80 } icmp_types={ echoreq unreach squench timex } internal_net = 172.18.0.0/16 proxy = 172.18.0.1 proxyport=8021 # tables table goodguys persist table sshguard persist # options set block-policy return # ports are closed but can be seen set loginterface $ext_if set skip on lo0 # scrub scrub in rdr pass proto tcp from any to any port ftp - 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services - $proxy port 8080 I could be wrong here but I think you have a loop. You are redirecting from local interface to local interface i.e. the result of redirect is still subject for redirect. Could you try one of the following: 1. Make this a `rdr in on $int_if`. 2. Make this a `rdr pass ... - 127.0.0.1 port 8080`. I prefer this way so port for transparent forwarding is unreachable except when explicitly redirecting to it. Personally I newer allow such ambiguity in my configs. #1 gives a syntax error when I try to load it. #2 My intention is to redirect only ftp traffic with this rule so that's why I use port 8021. Do you mean that I should redirect even ftp traffic to port 8080? Thanks! /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Anyone using squid and pf?
24.11.2012 17:39, Leslie Jensen: I've upgraded squid from 3.1 to 3.2. Starting squid 3.2 with the same configuration file now gives me errors in cache.log when one tries to access any site, and of course no access! 2012/11/24 16:24:56 kid1| WARNING: Forwarding loop detected for: Reverting back to 3.1 works. I know there are some changes in 3.2 that does this + 3.2 intercept port receiving forward-proxy requests will reject them due to NAT failure/lies. + 3.2 Host header validation *will* reject if forward traffic is validated as being intercepted. I would appreciate suggestions for changes to squid.conf so that squid will work for me with version 3.2. When switching to 3.2 I had to split listening ports - one for transparency and one for the local machine. However this doesn't looks like your case. Can you please provide relevant parts of pf.conf and full log output, not just the first line? -- Sphinx of black quartz, judge my vow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Anyone using squid and pf?
26.11.2012 20:40, Leslie Jensen: Rules from pf.conf # macros ext_if=xl0 int_if=bge0 tcp_services={ 22, 993, 5910:5917 } tcp_priv_services={ 389, 443 } proxy_services = { 21, 80 } icmp_types={ echoreq unreach squench timex } internal_net = 172.18.0.0/16 proxy = 172.18.0.1 proxyport=8021 # tables table goodguys persist table sshguard persist # options set block-policy return # ports are closed but can be seen set loginterface $ext_if set skip on lo0 # scrub scrub in rdr pass proto tcp from any to any port ftp - 127.0.0.1 port 8021 # redirect www trafic to proxy rdr on $int_if inet proto tcp from $internal_net to any port $proxy_services - $proxy port 8080 I could be wrong here but I think you have a loop. You are redirecting from local interface to local interface i.e. the result of redirect is still subject for redirect. Could you try one of the following: 1. Make this a `rdr in on $int_if`. 2. Make this a `rdr pass ... - 127.0.0.1 port 8080`. I prefer this way so port for transparent forwarding is unreachable except when explicitly redirecting to it. Personally I newer allow such ambiguity in my configs. -- Sphinx of black quartz judge my vow. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Anyone using squid and pf?
I've upgraded squid from 3.1 to 3.2. Starting squid 3.2 with the same configuration file now gives me errors in cache.log when one tries to access any site, and of course no access! 2012/11/24 16:24:56 kid1| WARNING: Forwarding loop detected for: Reverting back to 3.1 works. I know there are some changes in 3.2 that does this + 3.2 intercept port receiving forward-proxy requests will reject them due to NAT failure/lies. + 3.2 Host header validation *will* reject if forward traffic is validated as being intercepted. I would appreciate suggestions for changes to squid.conf so that squid will work for me with version 3.2. Thanks /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
OT - Squid external connections
Hi; Would anybody know how can I cross-reference squid/Lusca external connections with LAN hosts? For example, if I see an http connection on ext_if, is there a way to find out on behalf of which LAN host squid is making that connection? Using FreeBSD 8.2-STABLE, pf and Lusca latest port. I tried to search for a hint but this is really tricky to Google for. Please forgive me the OT but this list has always been a good first step for the right directions. Thanks, -- Mario Lobo http://www.mallavoodoo.com.br FreeBSD since 2.2.8 [not Pro-Audio YET!!] (99% winblows FREE) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Squid issue
Firstly I know this is a bit off topic for this list, please accept my apologies in advance. I have tried asking in more relevant circles but I have had no responses at all. Under pfSense I have openVPN running and Squid, the vpn has rules to route traffic on ports 119 and 563 via the VPN connection and everything else should route via the normal WAN connection and this works as expected until I introduced Squid to the mix, now web traffic is being routed via the VPN and I can see no obvious options in Squid to force it to use the WAN gateway. If anyone has any ideas or solutions feel free to contact me off list. Regards Graeme ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Squid issue
Firstly I know this is a bit off topic for this list, please accept my apologies in advance. I have tried asking in more relevant circles but I have had no responses at all. Under pfSense I have openVPN running and Squid, the vpn has rules to route traffic on ports 119 and 563 via the VPN connection and everything else should route via the normal WAN connection and this works as expected until I introduced Squid to the mix, now web traffic is being routed via the VPN and I can see no obvious options in Squid to force it to use the WAN gateway. If anyone has any ideas or solutions feel free to contact me off list. tcpdump is your friend and check tcp_outgoing_address in squid config. it may make difference. For sure SOMETHING is wrong with your firewall rules, not in squid. i don't use pfSense (don't even know what it is), but ipfw and mpd, so i cannot help you more ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Problem with FreeBSD working with squid and WCCPv2 Cisco 6500 series
Hi, i have some query and would like to ask anyone on squid with cisco catalyst 6500 switch with wccpv2 My setup: - squid2.7-stable9 on freebsd 7.2-RELEASE - cisco switch catalyst 6500 with ios 12.2(33)SXJ1 Internet | | - Cisco FWSM firewall | | | | |cisco switch catalyst 6500 (Core switch) 10.4.10.1 DMZ Segment | | | | Internal LAN (10.0.0.0/8) | | | | Squid box User (202.188.244.8) FreeBSD conf : ifconfig gre0 - gre0: flags=d051UP,POINTOPOINT,RUNNING,LINK0,LINK2,MULTICAST metric 0 mtu 1476 tunnel inet 202.188.244.8 -- 10.4.10.1 inet 202.188.244.8 -- 192.168.249.2 netmask 0x ipnat rules: rdr bce0 0.0.0.0/0 port 80 - 202.188.244.8 port 7788 rdr bce0 0.0.0.0/0 port 443 - 202.188.244.8 port 7788 rdr gre0 0.0.0.0/0 port 80 - 202.188.244.8 port 7788 rdr gre0 0.0.0.0/0 port 443 - 202.188.244.8 port 7788 ipf rules: - pass in log first on gre0 all pass out log first on gre0 all pass in log first on bce0 all pass out log first on bce0 all /etc/rc.conf - ifconfig_bce0=inet 202.188.244.8 netmask 255.255.255.0 cloned_interfaces=gre0 ifconfig_gre0=inet 202.188.244.8 192.168.249.2 netmask 255.255.255.255 link2 tunnel 202.188.244.8 10.4.10.1 up sysctl.conf -- net.inet.ip.forwarding: 1 net.inet.ip.fastforwarding: 1 squid.conf --- wccp2_router 10.4.10.1 wccp2_forwarding_method 1 wccp2_return_method 1 wccp2_service standard 0 wccp2_address 0.0.0.0 wccp2_assignment_method 1 Cisco 6500 output: --- #show ip wccp web-cache Global WCCP information: Router information: Router Identifier: 192.168.250.2 Protocol Version:2.0 Service Identifier: web-cache Number of Service Group Clients: 1 Number of Service Group Routers: 1 Total Packets s/w Redirected:3799 Process: 0 CEF: 3799 Redirect access-list:120 Total Packets Denied Redirect: 0 Total Packets Unassigned:382 Group access-list: 20 Total Messages Denied to Group: 0 Total Authentication failures: 0 Total Bypassed Packets Received: 0 #show ip wccp web-cache detail WCCP Client information: WCCP Client ID: 202.188.244.8 Protocol Version:2.0 State: Usable Redirection: GRE Packet Return: GRE Assignment: HASH Initial Hash Info: Assigned Hash Info: Hash Allotment: 256 (100.00%) Packets s/w Redirected: 3139 Connect Time:00:48:27 Bypassed Packets Process: 0 CEF: 0 Errors:0 squid cache log: 2012/03/14 19:31:51| wccp2HereIam: sending to service id 0 2012/03/14 19:31:51| Sending HereIam packet size 144 2012/03/14 19:31:51| Incoming WCCPv2 I_SEE_YOU length 132. 2012/03/14 19:31:51| Complete packet received 2012/03/14 19:31:51| Incoming WCCP2_I_SEE_YOU Received ID old=1591 new=1592. 2012/03/14 19:31:51| Cleaning out cache list Cisco 6500 debug message: *Mar 14 18:53:43.291: WCCP-EVNT:wccp_update_assignment_status: enter *Mar 14 18:53:43.291: WCCP-EVNT:wccp_update_assignment_status: exit *Mar 14 18:53:43.291: WCCP-EVNT:wccp_validate_wc_assignments: enter *Mar 14 18:53:43.291: WCCP-EVNT:wccp_validate_wc_assignments: not mask assignment, exit *Mar 14 18:53:43.291: WCCP-PKT:S00: Sending I_See_You packet to 202.188.244.8 w/ rcv_id 05F4 *Mar 14 18:53:53.291: WCCP-EVNT:wccp_update_assignment_status: enter *Mar 14 18:53:53.291: WCCP-EVNT:wccp_update_assignment_status: exit *Mar 14 18:53:53.291: WCCP-EVNT:wccp_validate_wc_assignments: enter *Mar 14 18:53:53.291: WCCP-EVNT:wccp_validate_wc_assignments: not mask assignment, exit *Mar 14 18:53:53.291: WCCP-PKT:S00: Sending I_See_You packet to 202.188.244.8 w/ rcv_id 05F5 *Mar 14 18:54:03.295: WCCP-EVNT:wccp_update_assignment_status: enter *Mar 14 18:54:03.295: WCCP-EVNT:wccp_update_assignment_status: exit *Mar 14 18:54:03.295: WCCP-EVNT:wccp_validate_wc_assignments: enter *Mar 14 18:54:03.295: WCCP-EVNT:wccp_validate_wc_assignments: not mask assignment, exit *Mar 14 18:54:03.295: WCCP-PKT:S00: Sending I_See_You packet to 202.188.244.8 w
Squid with Kerberos user authentication
I'm running squid on a proxy server for several years and now my boss wants usage reports organized by users' login names instead of IP addresses. We're in an Active Directory environment and use Kerberos authentication. I googled around and used this link: http://wiki.squid-cache.org/ConfigExamples/Authenticate/Kerberos#Squid_C onfiguration_File I made all the changes according to the instructions contained in the link. I ran into a problem with setting the KRB5_KTNAME variable (as listed in the Squid Configuration File section). It states as follows: --- Add the following to the squid startup script (Make sure the keytab is readable by the squid process owner e.g. chgrp squid /etc/squid/HTTP.keytab; chmod g+r /etc/squid/HTTP.keytab ) KRB5_KTNAME=/etc/squid/HTTP.keytab export KRB5_KTNAME --- I'm using the csh shell and apparently the export command isn't part of the csh shell. After some searching around, I came across this link: http://www.cyberciti.biz/faq/freebsd-how-to-export-shell-variable/ which gives me the csh replacement for the bash export command. I tried this: # setenv KRB5_KTNAME /usr/local/etc/squid/krbcron_squid.keytab and it appears to have worked. On top of that, the instructions require that the establishment of the KRB5_KTNAME variable be done in the squid startup script. In the FreeBSD OS, would that be the /usr/local/etc/rc.d/squid file? I don't see a section for setenv in the squid.conf file. I know I am almost there but I need a nudge here! ~Doug ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Installing squid, where should the directories be?
Hello list. I'm installing squid on a new 8.2-RELEASE machine. I've done it it before with squid 2.x and I have notes to follow. A few questions have turned up. I have /usr/local/squid as default directory and has made a separate mount point. When it comes to the cache and the logs directory I can see that the squid installation has created the /var/squid/cache directory. When Googling this problem I see both the use of /var/squid and /usr/local/squid. Where should it be? When running the command squid -z to initialize the cache the cache directory must be there otherwise the command won't work. How should I set the permissions on /usr/local/squid and the directories below? I find what I consider conflicting information, often it's quite dated. I could not find any advise in the Handbook. I'll be happy to help making a squid chapter. Thanks /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Installing squid, where should the directories be?
On Wed, Mar 9, 2011 at 10:27, Leslie Jensen les...@eskk.nu wrote: I'm installing squid on a new 8.2-RELEASE machine. Me too. I have /usr/local/squid as default directory and has made a separate mount point. Same here. As a general rule I like to give squid its own hard drive, or its own RAID. Giving it a separate partition on a single drive is useful if you're concerned about filling the disk but that *should* be controlled by the squid configuration file. Still, it's a good idea. When it comes to the cache and the logs directory I can see that the squid installation has created the /var/squid/cache directory. I've always seen /var/squid as being very Linux-centric. /usr/local/squid or /usr/local/var/squid makes more sense to me. When Googling this problem I see both the use of /var/squid and /usr/local/squid. Where should it be? Yep, ultimately it doesn't matter as long as you know where it is, you document where it is and your settings are correct in /usr/local/etc/squid/squid.conf. By default squid will use /var/squid. I always change it on install. When running the command squid -z to initialize the cache the cache directory must be there otherwise the command won't work. How should I set the permissions on /usr/local/squid and the directories below? I use 755, squid:squid. I could not find any advise in the Handbook. I'll be happy to help making a squid chapter. I'm writing some internal documentation on deploying pf + squid 2.7.x + SNMP on FreeBSD 8.2 routers/firewalls with cacti monitoring, I'll contribute what I can. I doubt we'll see a section on squid as it's really a niche area but it's always good to have something on the list so folks doing a search can find something useful. If it's going to be a few days before you get into the heavy lifting I'll try to send something directly or maybe a link to this list this weekend. You said you had notes from doing a 2.x installation, are you installing 3.x? . I'm sticking with 2.7.STABLE9 for storeurl support in some places and considering 3.x in others. 3.2 introduced SMP support but you can achieve pseudo-SMP support by running multiple instances on the same machine...just remember each instance has its own RAM and disk cache, which sort of kills the performance. kmw ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Installing squid, where should the directories be?
On Wed, 09 Mar 2011 16:27:27 +0100 Leslie Jensen les...@eskk.nu wrote: Hello list. I'm installing squid on a new 8.2-RELEASE machine. ... When Googling this problem I see both the use of /var/squid and /usr/local/squid. ... I find what I consider conflicting information, often it's quite dated. I could not find any advise in the Handbook. I'll be happy to help making a squid chapter. It's covered in UPDATING. If you search for squid it's the first entry. The change was to bring squid more in line with hier(7), at the expense of putting the default cache on a partition that's typically undersized. If you want the cache on a separate partition, and you have no good reason to put the logs on it, you might as well mount it in line with hier. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Installing squid, where should the directories be?
On 2011-03-09 18:02, RW wrote: On Wed, 09 Mar 2011 16:27:27 +0100 Leslie Jensenles...@eskk.nu wrote: Hello list. I'm installing squid on a new 8.2-RELEASE machine. ... When Googling this problem I see both the use of /var/squid and /usr/local/squid. ... I find what I consider conflicting information, often it's quite dated. I could not find any advise in the Handbook. I'll be happy to help making a squid chapter. It's covered in UPDATING. If you search for squid it's the first entry. The change was to bring squid more in line with hier(7), at the expense of putting the default cache on a partition that's typically undersized. If you want the cache on a separate partition, and you have no good reason to put the logs on it, you might as well mount it in line with hier. Thanks! I've found it. Well, now when all is installed and configured I think I'll stick with /usr/local/squid. In the future I'll follow the instructions from UPDATING. Would you recommend that I still use a separate partition for /var/squid even if it's on a single drive? /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Installing squid, where should the directories be?
On 2011-03-09 17:06, Kevin Wilcox wrote: On Wed, Mar 9, 2011 at 10:27, Leslie Jensenles...@eskk.nu wrote: I'm installing squid on a new 8.2-RELEASE machine. Me too. I have /usr/local/squid as default directory and has made a separate mount point. Same here. As a general rule I like to give squid its own hard drive, or its own RAID. Giving it a separate partition on a single drive is useful if you're concerned about filling the disk but that *should* be controlled by the squid configuration file. Still, it's a good idea. When it comes to the cache and the logs directory I can see that the squid installation has created the /var/squid/cache directory. I've always seen /var/squid as being very Linux-centric. /usr/local/squid or /usr/local/var/squid makes more sense to me. When Googling this problem I see both the use of /var/squid and /usr/local/squid. Where should it be? Yep, ultimately it doesn't matter as long as you know where it is, you document where it is and your settings are correct in /usr/local/etc/squid/squid.conf. By default squid will use /var/squid. I always change it on install. When running the command squid -z to initialize the cache the cache directory must be there otherwise the command won't work. How should I set the permissions on /usr/local/squid and the directories below? I use 755, squid:squid. I could not find any advise in the Handbook. I'll be happy to help making a squid chapter. I'm writing some internal documentation on deploying pf + squid 2.7.x + SNMP on FreeBSD 8.2 routers/firewalls with cacti monitoring, I'll contribute what I can. I doubt we'll see a section on squid as it's really a niche area but it's always good to have something on the list so folks doing a search can find something useful. If it's going to be a few days before you get into the heavy lifting I'll try to send something directly or maybe a link to this list this weekend. You said you had notes from doing a 2.x installation, are you installing 3.x? . I'm sticking with 2.7.STABLE9 for storeurl support in some places and considering 3.x in others. 3.2 introduced SMP support but you can achieve pseudo-SMP support by running multiple instances on the same machine...just remember each instance has its own RAM and disk cache, which sort of kills the performance. kmw Thanks Kevin. I'm ok with the configuration. My new install is version 3.1 and I'll keep /usr/local/squid for now to avoid the need for reinstalling and to make /var/squid big enough and as a separate partiton. /Leslie ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Do you have to install Apache to use sarg (and squid) with Webmin?
Hi folks, I'm trying to put a simple proxy server together, and I have installed Squid, Sarg and Webmin, all of which are working fine. When I go into webmin to add a sarg module, I don't see it anywhere as an option. Is that because I have to install Apache first? If so, how do I then add the sarg module? Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Do you have to install Apache to use sarg (and squid) with Webmin?
No. Apache Mod_proxy is independent of squid, even natd and ipfw; a reverse proxy? Ed Flecko edfle...@gmail.com wrote: Hi folks, I'm trying to put a simple proxy server together, and I have installed Squid, Sarg and Webmin, all of which are working fine. When I go into webmin to add a sarg module, I don't see it anywhere as an option. Is that because I have to install Apache first? If so, how do I then add the sarg module? Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
How to push privoxy traffic through squid?
Hi folks, I have squid installed and working fine using its default settings; if I set my browser proxy to the server address:3128 , everything works fine. I've edited the Privoxy config file and commented out: debug 1 # Log the destination for each request Privoxy let through. debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why. debug 4096 # Startup banner and warnings debug 8192 # Non-fatal errors and I've added: listen-address 127.0.0.1:8118 and forward / 127.0.0.1:3128 to try and push the content through squid...but it doesn't work. When I change my browser proxy settings to server address:8118 I can't reach the internet. I managed to make this work once before...but darned if I can remember how I did it! Suggestions??? Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to push privoxy traffic through squid?
Thanks Berk, Nope...no dice, that won't work either. More suggestions??? :-) Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to push privoxy traffic through squid?
On 02/24/2011 10:09 PM, Ed Flecko wrote: Hi folks, I have squid installed and working fine using its default settings; if I set my browser proxy to the server address:3128 , everything works fine. I've edited the Privoxy config file and commented out: debug 1 # Log the destination for each request Privoxy let through. debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why. debug 4096 # Startup banner and warnings debug 8192 # Non-fatal errors and I've added: listen-address 127.0.0.1:8118 and forward / 127.0.0.1:3128 Try this: forward / :3128 to try and push the content through squid...but it doesn't work. When I change my browser proxy settings to server address:8118 I can't reach the internet. I managed to make this work once before...but darned if I can remember how I did it! Suggestions??? Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to push privoxy traffic through squid?
On 02/24/2011 10:09 PM, Ed Flecko wrote: Hi folks, I have squid installed and working fine using its default settings; if I set my browser proxy to the server address:3128 , everything works fine. I've edited the Privoxy config file and commented out: debug 1 # Log the destination for each request Privoxy let through. debug 1024 # Log the destination for requests Privoxy didn't let through, and the reason why. debug 4096 # Startup banner and warnings debug 8192 # Non-fatal errors and I've added: listen-address 127.0.0.1:8118 and also update the line above like this: listen-address 0.0.0.0:8118 and forward / 127.0.0.1:3128 to try and push the content through squid...but it doesn't work. When I change my browser proxy settings to server address:8118 I can't reach the internet. I managed to make this work once before...but darned if I can remember how I did it! Suggestions??? Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to push privoxy traffic through squid?
On Thu, 24 Feb 2011 12:09:04 -0800 Ed Flecko edfle...@gmail.com wrote: Hi folks, I have squid installed and working fine using its default settings; if I set my browser proxy to the server address:3128 , everything works fine. ... and I've added: listen-address 127.0.0.1:8118 and forward / 127.0.0.1:3128 to try and push the content through squid...but it doesn't work. When I change my browser proxy settings to server address:8118 I can't reach the internet. I've not used privoxy, but I would have expected it to be the other way around. You connect to squid and squid goes through privoxy. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: How to push privoxy traffic through squid?
Gentlemen, I think I have it! https://www.antagonism.org/web/squid-proxy.shtml The key is to add: cache_peer localhost parent 8118 0 default no-query no-digest no-netdb-exchange never_direct allow all to the squid.conf file (/usr/local/etc/squid/squid.conf) and have squid re-read its .conf file (squid -k reconfigure) RW: You're 100% correct; you need to connect to squid which will then push traffic through Privoxy Thank you for your input. :-) Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Install Squid on FBSD with different configure options?
Hi folks, I want to install squid from the ports package (i.e., /usr/ports/www/squid) instead of installing from source (which, it's my understanding, would force me to create a squid user, squid group, etc. manually). However, I want squid to be installed with the ability to restrict end users internet access based upon their PCs MAC address, which means I need the --enable-arp-acl option when installing squid. I have modified the Makefile (/usr/ports/www/squid/Makefile) to include this option, but now I'm a little confused - if I use the standard pkg_add squid command, won't that just fetch the package from the internet? How do I install squid from the ports package that's on my hard drive? I am correct in that when I install the package from my local hard drive, it will automatically create the necessary users/groups for me, right? Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Install Squid on FBSD with different configure options?
On Friday, February 18, 2011 01:53:27 PM Ed Flecko wrote: Hi folks, I want to install squid from the ports package (i.e., /usr/ports/www/squid) instead of installing from source (which, it's my understanding, would force me to create a squid user, squid group, etc. manually). However, I want squid to be installed with the ability to restrict end users internet access based upon their PCs MAC address, which means I need the --enable-arp-acl option when installing squid. I have modified the Makefile (/usr/ports/www/squid/Makefile) to include this option, but now I'm a little confused - if I use the standard pkg_add squid command, won't that just fetch the package from the internet? How do I install squid from the ports package that's on my hard drive? cd /usr/ports/www/squid make config make install clean ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Install Squid on FBSD with different configure options?
Ed Flecko wrote: Hi folks, I want to install squid from the ports package (i.e., /usr/ports/www/squid) instead of installing from source (which, it's my understanding, would force me to create a squid user, squid group, etc. manually). However, I want squid to be installed with the ability to restrict end users internet access based upon their PCs MAC address, which means I need the --enable-arp-acl option when installing squid. I have modified the Makefile (/usr/ports/www/squid/Makefile) to include this option, but now I'm a little confused - if I use the standard pkg_add squid command, won't that just fetch the package from the internet? There are two ways to install software in FreeBSD. pkg_add will download and install a binary that has been previously compiled using the ports system, just it is prebuilt. You will not be able to change build-time parameters, e.g the Makefile changes above will have no effect on a package. The other way is to utilize the ports system to compile from source locally. This allows for build-time config changes, such as your Makefile edit. Generally, most of the time, most of these options already exist and make config will give you a menu to choose them. In this case, you will download the source code tarball and not a prebuilt package. How do I install squid from the ports package that's on my hard drive? As per instructions in other email. There is not a ports 'package' on your hard drive. There is a 'ports system', which is a build system for compiling applications locally. It is this same build system which is used to generate the binary packages for use with pkg_add. Please read the pertinent sections in the Handbook for more detailed information. Pay attention to something referred to as 'updating the ports tree' as this is usually something newcomers stumble over. Hint: the ports tree is responsible for dependency tracking/resolution. So anytime before installing or updating software you should update your ports tree first. There are sections in the Handbook which cover this. I am correct in that when I install the package from my local hard drive, it will automatically create the necessary users/groups for me, right? Yes. -Mike ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Install Squid on FBSD with different configure options?
On Fri, 18 Feb 2011 08:53:27 -0800 Ed Flecko edfle...@gmail.com wrote: Hi folks, I want to install squid from the ports package (i.e., /usr/ports/www/squid) instead of installing from source (which, it's my understanding, would force me to create a squid user, squid group, etc. manually). However, I want squid to be installed with the ability to restrict end users internet access based upon their PCs MAC address, which means I need the --enable-arp-acl option when installing squid. I have modified the Makefile (/usr/ports/www/squid/Makefile) to include this option, Don't do that or you will have to maintain it. Revert the change, then run make config in the port directory and select Enable ACLs based on ethernet address from the menu. The option will be remembered for future upgrades too. Alternately set WITH_SQUID_ARP_ACL=yes in make.conf. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Will FBSD Squid port create squid user and group?
* Ed Flecko edfle...@gmail.com [gmane.os.freebsd.questions]: Hi folks, I guess this is a two-faceted question: 1.) If I install Squid from a port, will in create the recommended squid user and group for me, or will I need to pre-create a squid user and group prior to Squid running? Yes. The code that manages this is in www/squid/files/pkg-install.in. The uid/gid of the user/group that the port/pacage will add is hardwired to 100 whereas the name of the actual user/group can be overridden when you build the port from source. Use SQUID_UID=foo SQUID_GID=bar in your make(1) environment if you intend to do this. If you install the pre-built package via pkg_add, user and group squid with uid 100 will be added unless a user/group with this name already exists. I like the idea of modifying SQUID_CONFIGURE_ARGS in the squid port Makefile to customize the software before I compile and install it, but if it doesn't create the user and group for you...what advantage do you gain to install from a port -vs- downloading the tarball and building from source? The port tries to ensure that Squid complies with the FreeBSD file system hierarchy standards and it installs more helpers than what you would normally get when you install Squid from the distribution tarball. Just have a Look at the definition of the CONFIGURE_ARGS make macro in the port's Makefile to see which options the port enables by default. As a bonus you get a dialog(1) based configuration dialog for the fancier options. A port is basically a wrapper that tries to automate everything you would otherwise need to do manually when you install directly from source. 2.) As a general rule, when you install software that needs a special user/group, will those users/groups be created when you install from ports, or only from packages? Pre-build package and installation from port should behave the same in this respect. Everything else is a bug. Best regards, -- Thomas-Martin Seck current maintainer of www/squid{,30,31} ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Will FBSD Squid port create squid user and group?
Hi folks, I guess this is a two-faceted question: 1.) If I install Squid from a port, will in create the recommended squid user and group for me, or will I need to pre-create a squid user and group prior to Squid running? I like the idea of modifying SQUID_CONFIGURE_ARGS in the squid port Makefile to customize the software before I compile and install it, but if it doesn't create the user and group for you...what advantage do you gain to install from a port -vs- downloading the tarball and building from source? :-) 2.) As a general rule, when you install software that needs a special user/group, will those users/groups be created when you install from ports, or only from packages? Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Will FBSD Squid port create squid user and group?
On Wed, 22 Sep 2010 09:43:04 -0700, Ed Flecko edfle...@gmail.com wrote: I like the idea of modifying SQUID_CONFIGURE_ARGS in the squid port Makefile to customize the software before I compile and install it, [...] Instead of modifying the Makefile itself, consider writing your changes into a Makefile.local which will be used to override settings in Makefile. At least, it worked that way in the past... [...] what advantage do you gain to install from a port -vs- downloading the tarball and building from source? Using packages always gives you the DEFAULT settings the corresponding port was built with. If you need to change those settings, use the port, Luke. :-) 2.) As a general rule, when you install software that needs a special user/group, will those users/groups be created when you install from ports, or only from packages? As far as I remember, those post-installation tasks will be done in both cases. So port AND package will create them. -- Polytropon Magdeburg, Germany Happy FreeBSD user since 4.0 Andra moi ennepe, Mousa, ... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: [squid-users] One slow Website Through Proxy
What about running a packet sniffer, like Wireshark, and looking at the trace file? Start a trace file before trying to access the web site, then took at the Delta time (time between packets) and see where the delay is? Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
FreeBSD 8.1 Squid suggestions?
Hi folks, I have a small group of people in my office (less than 20), and I want to set up a FBSD/Squid server, and I'm hoping someone might have some suggestions for the install. It's a clean install of FBSD 8.1, and the sole purpose of the server is a Squid server. The server has a 500Gb SATA hard drive, and 8Gb of RAM. I've installed Squid before (on an OpenBSD server), so I'm a comfortable with Squid. I'll install from a package (to make my life easy), but I'm not sure if there are any FBSD specific changes I should make? Are there any kernel customizations you might recommend I need? Are there any suggestions you might make to improve performance? Suggestions? Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 8.1 Squid suggestions?
Thanks Dennis! These are config options you've changed within the squid.conf file??? Can you give me some specifics as to what you changed and why you changed it? Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 8.1 Squid suggestions?
Hello No problem ! I use Squid on a proliant HP 360 with 2 Gb RAM and 100 Gb of disk cache. It serves our LAN clients ( approx 800 PCs ) without trouble with a standard kernel. Hope this help. Le 21/09/2010 21:41, Ed Flecko a Ă©crit : Hi folks, I have a small group of people in my office (less than 20), and I want to set up a FBSD/Squid server, and I'm hoping someone might have some suggestions for the install. It's a clean install of FBSD 8.1, and the sole purpose of the server is a Squid server. The server has a 500Gb SATA hard drive, and 8Gb of RAM. I've installed Squid before (on an OpenBSD server), so I'm a comfortable with Squid. I'll install from a package (to make my life easy), but I'm not sure if there are any FBSD specific changes I should make? Are there any kernel customizations you might recommend I need? Are there any suggestions you might make to improve performance? Suggestions? Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: FreeBSD 8.1 Squid suggestions?
Hi Ed, For my office, I add IPFIREWALL_FORWARD into the kernel so that I can transparently route all HTTP traffic without any client configuration. My ipfw rule is: ipfw add 550 fwd 127.0.0.1,3128 tcp from ${int_net} to any 80 via ${int_if} Patrick On Tue, Sep 21, 2010 at 12:41 PM, Ed Flecko edfle...@gmail.com wrote: Hi folks, I have a small group of people in my office (less than 20), and I want to set up a FBSD/Squid server, and I'm hoping someone might have some suggestions for the install. It's a clean install of FBSD 8.1, and the sole purpose of the server is a Squid server. The server has a 500Gb SATA hard drive, and 8Gb of RAM. I've installed Squid before (on an OpenBSD server), so I'm a comfortable with Squid. I'll install from a package (to make my life easy), but I'm not sure if there are any FBSD specific changes I should make? Are there any kernel customizations you might recommend I need? Are there any suggestions you might make to improve performance? Suggestions? Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
ipfw fwd for transparent proxy (squid) - but, not on loopback
Hey all - I've been trying to implement a transparent proxy for all outgoing traffic to port 80 to forward to a proxy server. The problem is that the proxy itself resides on a different host than the forward rule does. Has anyone done something similar? Ideally I'd like to implement with ipfw, but not opposed to other suggestions? Internet - firewall/gateway - proxy server - LAN/clients Where the firewall/gateway is the central router for multiple networks, including the public subnet which 'proxy server' gets it's external IP for. So ideally I would like something along the lines of this (assuming the proxy server is running on 10.1.1.12:3128): ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.2.0/24 to any 80 via 10.1.2.254 ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.3.0/24 to any 80 via 10.1.3.254 ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.1.0/26 to any 80 via 10.1.1.1 I have tried the identical rules to above using 127.0.0.1,3128 - of course starting up squid on the gateway machine too... the problem is that machine simply doesn't have the resources and I'd prefer to run squid on a different host. Any suggestions or referrals to RTFM somewhere would be greatly appreciated. Thanks. -- Nathan Vidican nat...@vidican.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: ipfw fwd for transparent proxy (squid) - but, not on loopback
On Mon, Sep 13, 2010 at 11:53 AM, Nathan Vidican nat...@vidican.com wrote: Hey all - I've been trying to implement a transparent proxy for all outgoing traffic to port 80 to forward to a proxy server. The problem is that the proxy itself resides on a different host than the forward rule does. Has anyone done something similar? Ideally I'd like to implement with ipfw, but not opposed to other suggestions? Internet - firewall/gateway - proxy server - LAN/clients Where the firewall/gateway is the central router for multiple networks, including the public subnet which 'proxy server' gets it's external IP for. So ideally I would like something along the lines of this (assuming the proxy server is running on 10.1.1.12:3128): ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.2.0/24 to any 80 via 10.1.2.254 ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.3.0/24 to any 80 via 10.1.3.254 ipfw add 600 fwd 10.1.1.12,3128 tcp from 10.1.1.0/26 to any 80 via 10.1.1.1 I have tried the identical rules to above using 127.0.0.1,3128 - of course starting up squid on the gateway machine too... the problem is that machine simply doesn't have the resources and I'd prefer to run squid on a different host. Any suggestions or referrals to RTFM somewhere would be greatly appreciated. Thanks. -- Nathan Vidican nat...@vidican.com Go figure, five minutes after posting I found what I needed in squid's documentation. FYI in case anyone comes accross this thread, what I had been doing wrong was 'http_port 3128 transparent' should have been 'http_port 3128 intercept' instead. See this link for more details: http://wiki.squid-cache.org/ConfigExamples/Intercept/FreeBsdIpfw -- Nathan Vidican nat...@vidican.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Should a squid user have a shell?
Excellent! Thanks for the tips! Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Should a squid user have a shell?
Hi folks, I'm looking in some documentation for Squid, which I'm installing on a FBSD 8.1 server, and it says I need to create a squid user and a squid group because I'm building/installing from source. I see to create the squid user, I user the (of course) adduser command (there isn't a default squid user with the base install, is there?). 1.) When I use the adduser command, from a security perspective, should the squid user have a shell? What should it be? 2.) How do I create a squid group and add the squid user to it? 3.) Since the squid user needs full access to the squid directory and all of its files, what the easiest way to give the appropriate permissions? Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Should a squid user have a shell?
On Wed 2010-09-01 09:02:45 UTC-0700, Ed Flecko (edfle...@gmail.com) wrote: I'm looking in some documentation for Squid, which I'm installing on a FBSD 8.1 server, and it says I need to create a squid user and a squid group because I'm building/installing from source. All of this is done automatically if you build Squid from source using the Ports tree - probably www/squid, or www/squid31. Are you sure you want to do it manually? Regards Andrew ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Should a squid user have a shell?
Thank you Jerry. The only reason I'm not using the squid port is because I found a website ( http://teklimbu.wordpress.com/2007/10/03/enterprise-freebsd-squid-proxy-server/ ) that has detailed instructions on installing squid for an Enterprise environment claiming the performance is very good. Since I'm new to using squid and using squid on FreeBSD, I'm simply trying to duplicate his setup. It's quite possible that I could achieve the same performance results from using the port install of squid...but maybe I wouldn't. :-) Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Should a squid user have a shell?
On Wed, Sep 1, 2010 at 9:02 AM, Ed Flecko edfle...@gmail.com wrote: Hi folks, I'm looking in some documentation for Squid, which I'm installing on a FBSD 8.1 server, and it says I need to create a squid user and a squid group because I'm building/installing from source. I see to create the squid user, I user the (of course) adduser command (there isn't a default squid user with the base install, is there?). 1.) When I use the adduser command, from a security perspective, should the squid user have a shell? What should it be? 2.) How do I create a squid group and add the squid user to it? 3.) Since the squid user needs full access to the squid directory and all of its files, what the easiest way to give the appropriate permissions? Service accounts shouldn't have a password (their password field should be starred out) and should have a shell of /usr/sbin/nologin (this program logs any attempt to run it and exits). The port using the following commands to set this up: pw groupadd squid -g 100 -q pw useradd -q -n squid -u 100 -g squid -c Squid caching-proxy psuedo user -d /var/squid -s /usr/sbin/nologin -h - This assumes data is in /var/squid. You can create this directory and use chmod/chown to give the user and group necessary permissions. The UID and GID (100 and 100 in this case) come from the lists in /usr/ports and are reserved for squid to avoid conflicts. -- Rob Farmer Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Should a squid user have a shell?
On Wed, Sep 1, 2010 at 12:38 PM, Rob Farmer rfar...@predatorlabs.net wrote: On Wed, Sep 1, 2010 at 9:02 AM, Ed Flecko edfle...@gmail.com wrote: Hi folks, I'm looking in some documentation for Squid, which I'm installing on a FBSD 8.1 server, and it says I need to create a squid user and a squid group because I'm building/installing from source. I see to create the squid user, I user the (of course) adduser command (there isn't a default squid user with the base install, is there?). 1.) When I use the adduser command, from a security perspective, should the squid user have a shell? What should it be? 2.) How do I create a squid group and add the squid user to it? 3.) Since the squid user needs full access to the squid directory and all of its files, what the easiest way to give the appropriate permissions? Service accounts shouldn't have a password (their password field should be starred out) and should have a shell of /usr/sbin/nologin (this program logs any attempt to run it and exits). The port using the following commands to set this up: pw groupadd squid -g 100 -q pw useradd -q -n squid -u 100 -g squid -c Squid caching-proxy psuedo user -d /var/squid -s /usr/sbin/nologin -h - Addendum: the -q flag suppresses output/errors - good for a script, but you probably want to remove it for interactive use. -- Rob Farmer This assumes data is in /var/squid. You can create this directory and use chmod/chown to give the user and group necessary permissions. The UID and GID (100 and 100 in this case) come from the lists in /usr/ports and are reserved for squid to avoid conflicts. -- Rob Farmer Thank you, Ed ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Should a squid user have a shell?
On Wed, Sep 1, 2010 at 11:38 AM, Ed Flecko edfle...@gmail.com wrote: Thank you Jerry. The only reason I'm not using the squid port is because I found a website ( http://teklimbu.wordpress.com/2007/10/03/enterprise-freebsd-squid-proxy-server/ ) that has detailed instructions on installing squid for an Enterprise environment claiming the performance is very good. Since I'm new to using squid and using squid on FreeBSD, I'm simply trying to duplicate his setup. It's quite possible that I could achieve the same performance results from using the port install of squid...but maybe I wouldn't. If you are looking for a high performance reverse proxy cache, look at varnish instead of squid. That being said, squid will work fine too. If you don't know what you need, it's probably better to always stick with ports rather than compiling yourself. A lot of bug fixes, FreeBSD specific patches, and testing goes into the ports tree -- that's why it's such a useful package management system. -- Adam Vande More ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Should a squid user have a shell?
On Wed, 1 Sep 2010 09:38:03 -0700 Ed Flecko edfle...@gmail.com wrote: Thank you Jerry. The only reason I'm not using the squid port is because I found a website ( http://teklimbu.wordpress.com/2007/10/03/enterprise-freebsd-squid-proxy-server/ ) that has detailed instructions on installing squid for an Enterprise environment claiming the performance is very good. Since I'm new to using squid and using squid on FreeBSD, I'm simply trying to duplicate his setup. It's quite possible that I could achieve the same performance results from using the port install of squid...but maybe I wouldn't. You might as well build the port. There's nothing special in his configure settings - although the squid port provides a variable for this if you if you want to add extra configure settings not supported by the port options. The port will apply some patches to the code that may, or may not, be need. It will also provide an rc script and create the user/group. Either way you need to run squid -z to create the directories. IIRC this will create the directories with the correct ownership if the effective user/group is correct in squid.conf. That just leaves squid.conf which you have to setup anyway, since the port defaults to a small ufs cache. I'd suggest taking the default and stripping out the very lengthy comments, and them merging in any settings you want from his file - having looked-up what they actually do. Some of his setting are sensible, such as using diskd, some less so, such as the acl to deny query url caching, which more efficiently handled through refresh patterns in the default file. Also I'd suggest not using heap GDSF/LFUDA cache replacement until you have established you can't get a week's retention from the default lru policy. The suggestion of running a local dns cache shouldn't make much difference since squid does it own caching. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Should a squid user have a shell?
On Wed, 1 Sep 2010 16:14:38 -0700 Ed Flecko edfle...@gmail.com wrote: Thanks RW! How do I make the changes you've suggested, i.e., like changing from the small UFS cache, etc.; that can all be done by altering the squid.conf file? Yes, take a look at the cache_dir lines in in the squid.conf file in the howto link. You don't need two cache_dir entries, unless you have two separate disks (usuall non-raid). You do need to modify the size field (documented in squid.conf.default). Also, what do you mean about the variable to change some of the ./configure options that are not part of the default? Take a look at SQUID_CONFIGURE_ARGS in the squid port Makefile. BTW The last I heard, the 2.7 branch in www/squid is still faster than the later 3.x branches. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Squid not starting from rc in Jail, however works when run from root as command??
Kaya Saman wrote: Hi guys, I've just built a new BSD server running on a Mini-ITX NAS chassis and it's working beautifully :-) I also took the time to learn how to build jails too as this is only my second BSD build so am still really new to it although not to UNIX as I use Solaris and Linux frequently. Anyhow I'm trying to migrate config which was on an old SPARC server running Solaris 9 with a version of Squid got from the Blastwave repos and currently I'm having major issues with it. Basically I think I've worked through to figure out that running as user Squid or Proxy doesn't give me access to ports 1024, basically the 'well known' ports. Here is the error message I get from Squid when trying to start it using the rc.d file: May 31 17:47:11 proxy squid[4360]: Cannot open HTTP Port May 31 17:47:11 proxy squid[4358]: Squid Parent: child process 4360 exited due to signal 6 May 31 17:47:14 proxy squid[4358]: Squid Parent: child process 4364 started May 31 17:47:15 proxy squid[4364]: Cannot open HTTP Port May 31 17:47:15 proxy squid[4358]: Squid Parent: child process 4364 exited due to signal 6 May 31 17:47:18 proxy squid[4358]: Squid Parent: child process 4367 started May 31 17:47:18 proxy squid[4367]: Cannot open HTTP Port May 31 17:47:18 proxy squid[4358]: Squid Parent: child process 4367 exited due to signal 6 May 31 17:47:21 proxy squid[4358]: Squid Parent: child process 4370 started May 31 17:47:21 proxy squid[4370]: Cannot open HTTP Port May 31 17:47:21 proxy squid[4358]: Squid Parent: child process 4370 exited due to signal 6 If however I start Squid using /usr/local/sbin/squid -NCd1 as root I get this and Squid works: proxy# /usr/local/sbin/squid -NCd1 2010/05/31 17:55:54| Starting Squid Cache version 2.7.STABLE7 for amd64-portbld-freebsd8.0... 2010/05/31 17:55:54| Process ID 4484 2010/05/31 17:55:54| With 11095 file descriptors available 2010/05/31 17:55:54| Using kqueue for the IO loop 2010/05/31 17:55:54| Performing DNS Tests... 2010/05/31 17:55:54| Successful DNS name lookup tests... 2010/05/31 17:55:54| DNS Socket created at 0.0.0.0, port 39116, FD 6 2010/05/31 17:55:54| Adding nameserver 192.168.1.100 from /etc/resolv.conf 2010/05/31 17:55:54| Adding nameserver 192.168.1.101 from /etc/resolv.conf 2010/05/31 17:55:54| logfileOpen: opening log /var/log/squid/access.log 2010/05/31 17:55:54| Unlinkd pipe opened on FD 11 2010/05/31 17:55:54| Swap maxSize 102400 + 8192 KB, estimated 8507 objects 2010/05/31 17:55:54| Target number of buckets: 425 2010/05/31 17:55:54| Using 8192 Store buckets 2010/05/31 17:55:54| Max Mem size: 8192 KB 2010/05/31 17:55:54| Max Swap size: 102400 KB 2010/05/31 17:55:54| logfileOpen: opening log /var/log/squid/store.log 2010/05/31 17:55:54| Rebuilding storage in /usr/local/squid/cache (DIRTY) 2010/05/31 17:55:54| Using Least Load store dir selection 2010/05/31 17:55:54| Set Current Directory to /var/spool/squid 2010/05/31 17:55:54| Loaded Icons. 2010/05/31 17:55:54| Accepting accelerated HTTP connections at 192.168.1.110, port 80, FD 13. 2010/05/31 17:55:54| Accepting ICP messages at 0.0.0.0, port 3130, FD 14. 2010/05/31 17:55:54| Accepting SNMP messages on port 3401, FD 15. 2010/05/31 17:55:54| WCCP Disabled. 2010/05/31 17:55:54| Configuring x-ray Parent x-ray/80/0 2010/05/31 17:55:54| Configuring zeta-ray Parent zeta-ray/80/0 2010/05/31 17:55:54| Configuring delta-ray Parent delta-ray/80/0 2010/05/31 17:55:54| Configuring g-stat-1 Parent g-stat-1/80/0 2010/05/31 17:55:54| Ready to serve requests. 2010/05/31 17:55:54| Done reading /usr/local/squid/cache swaplog (0 entries) 2010/05/31 17:55:54| Finished rebuilding storage from disk. 2010/05/31 17:55:54| 0 Entries scanned 2010/05/31 17:55:54| 0 Invalid entries. 2010/05/31 17:55:54| 0 With invalid flags. 2010/05/31 17:55:54| 0 Objects loaded. 2010/05/31 17:55:54| 0 Objects expired. 2010/05/31 17:55:54| 0 Objects cancelled. 2010/05/31 17:55:54| 0 Duplicate URLs purged. 2010/05/31 17:55:54| 0 Swapfile clashes avoided. 2010/05/31 17:55:54| Took 0.4 seconds ( 0.0 objects/sec). 2010/05/31 17:55:54| Beginning Validation Procedure 2010/05/31 17:55:54| Completed Validation Procedure 2010/05/31 17:55:54| Validated 0 Entries 2010/05/31 17:55:54| store_swap_size = 0k 2010/05/31 17:55:55| storeLateRelease: released 0 objects Running uname -a gives me this: FreeBSD Zeta-Ray.optiplex-networks.com 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 and also Squid was built from ports too!! Because I built the system in a Jail I am using this syntax to bind the port to the IP address: http_port 192.168.1.110:80 accel defaultsite=domain.com vhost When I mean Jail I am talking about FreeBDS Jails and not chroot syntax :-) Can anybody offer me any advice or anywhere else to turn as I really don't know what's going
Re: Squid not starting from rc in Jail, however works when run from root as command??
On 06/01/2010 03:14 AM, Kaya Saman wrote: Kaya Saman wrote: Hi guys, I've just built a new BSD server running on a Mini-ITX NAS chassis and it's working beautifully :-) I also took the time to learn how to build jails too as this is only my second BSD build so am still really new to it although not to UNIX as I use Solaris and Linux frequently. Anyhow I'm trying to migrate config which was on an old SPARC server running Solaris 9 with a version of Squid got from the Blastwave repos and currently I'm having major issues with it. Basically I think I've worked through to figure out that running as user Squid or Proxy doesn't give me access to ports 1024, basically the 'well known' ports. Here is the error message I get from Squid when trying to start it using the rc.d file: May 31 17:47:11 proxy squid[4360]: Cannot open HTTP Port May 31 17:47:11 proxy squid[4358]: Squid Parent: child process 4360 exited due to signal 6 May 31 17:47:14 proxy squid[4358]: Squid Parent: child process 4364 started May 31 17:47:15 proxy squid[4364]: Cannot open HTTP Port May 31 17:47:15 proxy squid[4358]: Squid Parent: child process 4364 exited due to signal 6 May 31 17:47:18 proxy squid[4358]: Squid Parent: child process 4367 started May 31 17:47:18 proxy squid[4367]: Cannot open HTTP Port May 31 17:47:18 proxy squid[4358]: Squid Parent: child process 4367 exited due to signal 6 May 31 17:47:21 proxy squid[4358]: Squid Parent: child process 4370 started May 31 17:47:21 proxy squid[4370]: Cannot open HTTP Port May 31 17:47:21 proxy squid[4358]: Squid Parent: child process 4370 exited due to signal 6 If however I start Squid using /usr/local/sbin/squid -NCd1 as root I get this and Squid works: proxy# /usr/local/sbin/squid -NCd1 2010/05/31 17:55:54| Starting Squid Cache version 2.7.STABLE7 for amd64-portbld-freebsd8.0... 2010/05/31 17:55:54| Process ID 4484 2010/05/31 17:55:54| With 11095 file descriptors available 2010/05/31 17:55:54| Using kqueue for the IO loop 2010/05/31 17:55:54| Performing DNS Tests... 2010/05/31 17:55:54| Successful DNS name lookup tests... 2010/05/31 17:55:54| DNS Socket created at 0.0.0.0, port 39116, FD 6 2010/05/31 17:55:54| Adding nameserver 192.168.1.100 from /etc/resolv.conf 2010/05/31 17:55:54| Adding nameserver 192.168.1.101 from /etc/resolv.conf 2010/05/31 17:55:54| logfileOpen: opening log /var/log/squid/access.log 2010/05/31 17:55:54| Unlinkd pipe opened on FD 11 2010/05/31 17:55:54| Swap maxSize 102400 + 8192 KB, estimated 8507 objects 2010/05/31 17:55:54| Target number of buckets: 425 2010/05/31 17:55:54| Using 8192 Store buckets 2010/05/31 17:55:54| Max Mem size: 8192 KB 2010/05/31 17:55:54| Max Swap size: 102400 KB 2010/05/31 17:55:54| logfileOpen: opening log /var/log/squid/store.log 2010/05/31 17:55:54| Rebuilding storage in /usr/local/squid/cache (DIRTY) 2010/05/31 17:55:54| Using Least Load store dir selection 2010/05/31 17:55:54| Set Current Directory to /var/spool/squid 2010/05/31 17:55:54| Loaded Icons. 2010/05/31 17:55:54| Accepting accelerated HTTP connections at 192.168.1.110, port 80, FD 13. 2010/05/31 17:55:54| Accepting ICP messages at 0.0.0.0, port 3130, FD 14. 2010/05/31 17:55:54| Accepting SNMP messages on port 3401, FD 15. 2010/05/31 17:55:54| WCCP Disabled. 2010/05/31 17:55:54| Configuring x-ray Parent x-ray/80/0 2010/05/31 17:55:54| Configuring zeta-ray Parent zeta-ray/80/0 2010/05/31 17:55:54| Configuring delta-ray Parent delta-ray/80/0 2010/05/31 17:55:54| Configuring g-stat-1 Parent g-stat-1/80/0 2010/05/31 17:55:54| Ready to serve requests. 2010/05/31 17:55:54| Done reading /usr/local/squid/cache swaplog (0 entries) 2010/05/31 17:55:54| Finished rebuilding storage from disk. 2010/05/31 17:55:54| 0 Entries scanned 2010/05/31 17:55:54| 0 Invalid entries. 2010/05/31 17:55:54| 0 With invalid flags. 2010/05/31 17:55:54| 0 Objects loaded. 2010/05/31 17:55:54| 0 Objects expired. 2010/05/31 17:55:54| 0 Objects cancelled. 2010/05/31 17:55:54| 0 Duplicate URLs purged. 2010/05/31 17:55:54| 0 Swapfile clashes avoided. 2010/05/31 17:55:54| Took 0.4 seconds ( 0.0 objects/sec). 2010/05/31 17:55:54| Beginning Validation Procedure 2010/05/31 17:55:54| Completed Validation Procedure 2010/05/31 17:55:54| Validated 0 Entries 2010/05/31 17:55:54| store_swap_size = 0k 2010/05/31 17:55:55| storeLateRelease: released 0 objects Running uname -a gives me this: FreeBSD Zeta-Ray.optiplex-networks.com 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 and also Squid was built from ports too!! Because I built the system in a Jail I am using this syntax to bind the port to the IP address: http_port 192.168.1.110:80 accel defaultsite=domain.com vhost When I mean Jail I am talking about FreeBDS Jails and not chroot syntax :-) Can
Squid not starting from rc in Jail, however works when run from root as command??
Hi guys, I've just built a new BSD server running on a Mini-ITX NAS chassis and it's working beautifully :-) I also took the time to learn how to build jails too as this is only my second BSD build so am still really new to it although not to UNIX as I use Solaris and Linux frequently. Anyhow I'm trying to migrate config which was on an old SPARC server running Solaris 9 with a version of Squid got from the Blastwave repos and currently I'm having major issues with it. Basically I think I've worked through to figure out that running as user Squid or Proxy doesn't give me access to ports 1024, basically the 'well known' ports. Here is the error message I get from Squid when trying to start it using the rc.d file: May 31 17:47:11 proxy squid[4360]: Cannot open HTTP Port May 31 17:47:11 proxy squid[4358]: Squid Parent: child process 4360 exited due to signal 6 May 31 17:47:14 proxy squid[4358]: Squid Parent: child process 4364 started May 31 17:47:15 proxy squid[4364]: Cannot open HTTP Port May 31 17:47:15 proxy squid[4358]: Squid Parent: child process 4364 exited due to signal 6 May 31 17:47:18 proxy squid[4358]: Squid Parent: child process 4367 started May 31 17:47:18 proxy squid[4367]: Cannot open HTTP Port May 31 17:47:18 proxy squid[4358]: Squid Parent: child process 4367 exited due to signal 6 May 31 17:47:21 proxy squid[4358]: Squid Parent: child process 4370 started May 31 17:47:21 proxy squid[4370]: Cannot open HTTP Port May 31 17:47:21 proxy squid[4358]: Squid Parent: child process 4370 exited due to signal 6 If however I start Squid using /usr/local/sbin/squid -NCd1 as root I get this and Squid works: proxy# /usr/local/sbin/squid -NCd1 2010/05/31 17:55:54| Starting Squid Cache version 2.7.STABLE7 for amd64-portbld-freebsd8.0... 2010/05/31 17:55:54| Process ID 4484 2010/05/31 17:55:54| With 11095 file descriptors available 2010/05/31 17:55:54| Using kqueue for the IO loop 2010/05/31 17:55:54| Performing DNS Tests... 2010/05/31 17:55:54| Successful DNS name lookup tests... 2010/05/31 17:55:54| DNS Socket created at 0.0.0.0, port 39116, FD 6 2010/05/31 17:55:54| Adding nameserver 192.168.1.100 from /etc/resolv.conf 2010/05/31 17:55:54| Adding nameserver 192.168.1.101 from /etc/resolv.conf 2010/05/31 17:55:54| logfileOpen: opening log /var/log/squid/access.log 2010/05/31 17:55:54| Unlinkd pipe opened on FD 11 2010/05/31 17:55:54| Swap maxSize 102400 + 8192 KB, estimated 8507 objects 2010/05/31 17:55:54| Target number of buckets: 425 2010/05/31 17:55:54| Using 8192 Store buckets 2010/05/31 17:55:54| Max Mem size: 8192 KB 2010/05/31 17:55:54| Max Swap size: 102400 KB 2010/05/31 17:55:54| logfileOpen: opening log /var/log/squid/store.log 2010/05/31 17:55:54| Rebuilding storage in /usr/local/squid/cache (DIRTY) 2010/05/31 17:55:54| Using Least Load store dir selection 2010/05/31 17:55:54| Set Current Directory to /var/spool/squid 2010/05/31 17:55:54| Loaded Icons. 2010/05/31 17:55:54| Accepting accelerated HTTP connections at 192.168.1.110, port 80, FD 13. 2010/05/31 17:55:54| Accepting ICP messages at 0.0.0.0, port 3130, FD 14. 2010/05/31 17:55:54| Accepting SNMP messages on port 3401, FD 15. 2010/05/31 17:55:54| WCCP Disabled. 2010/05/31 17:55:54| Configuring x-ray Parent x-ray/80/0 2010/05/31 17:55:54| Configuring zeta-ray Parent zeta-ray/80/0 2010/05/31 17:55:54| Configuring delta-ray Parent delta-ray/80/0 2010/05/31 17:55:54| Configuring g-stat-1 Parent g-stat-1/80/0 2010/05/31 17:55:54| Ready to serve requests. 2010/05/31 17:55:54| Done reading /usr/local/squid/cache swaplog (0 entries) 2010/05/31 17:55:54| Finished rebuilding storage from disk. 2010/05/31 17:55:54| 0 Entries scanned 2010/05/31 17:55:54| 0 Invalid entries. 2010/05/31 17:55:54| 0 With invalid flags. 2010/05/31 17:55:54| 0 Objects loaded. 2010/05/31 17:55:54| 0 Objects expired. 2010/05/31 17:55:54| 0 Objects cancelled. 2010/05/31 17:55:54| 0 Duplicate URLs purged. 2010/05/31 17:55:54| 0 Swapfile clashes avoided. 2010/05/31 17:55:54| Took 0.4 seconds ( 0.0 objects/sec). 2010/05/31 17:55:54| Beginning Validation Procedure 2010/05/31 17:55:54| Completed Validation Procedure 2010/05/31 17:55:54| Validated 0 Entries 2010/05/31 17:55:54| store_swap_size = 0k 2010/05/31 17:55:55| storeLateRelease: released 0 objects Running uname -a gives me this: FreeBSD Zeta-Ray.optiplex-networks.com 8.0-RELEASE FreeBSD 8.0-RELEASE #0: Sat Nov 21 15:02:08 UTC 2009 r...@mason.cse.buffalo.edu:/usr/obj/usr/src/sys/GENERIC amd64 and also Squid was built from ports too!! Because I built the system in a Jail I am using this syntax to bind the port to the IP address: http_port 192.168.1.110:80 accel defaultsite=domain.com vhost When I mean Jail I am talking about FreeBDS Jails and not chroot syntax :-) Can anybody offer me any advice or anywhere else to turn as I really don't know what's going on Many thanks! Kaya
dansguardian + squid running on local machine
Hello fellow BSD users - I have dansguardian listening on 127.0.0.0.1:8080 - squid listening on 127.0.0.1:3128 on the same computer for content filtering and caching for the kids. I also have ipfw ruleset. I'm able to browse the Internet fine but I just want to make sure http requests are going through my ipfw ruleset. How do I know if my websites requests are going through the ipfw rules and coming back through them? The rule below allows everything through the loop back interface, is that whats allowing squid and dansguardian to work? If so, I would like to know what rules specifically I can add specifically for dansguardian and squid? allow all from any to any via lo0 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: dansguardian + squid running on local machine
Mexican Loser wrote: Hello fellow BSD users - I have dansguardian listening on 127.0.0.0.1:8080 - squid listening on 127.0.0.1:3128 on the same computer for content filtering and caching for the kids. I also have ipfw ruleset. I'm able to browse the Internet fine but I just want to make sure http requests are going through my ipfw ruleset. How do I know if my websites requests are going through the ipfw rules and coming back through them? The rule below allows everything through the loop back interface, is that whats allowing squid and dansguardian to work? If so, I would like to know what rules specifically I can add specifically for dansguardian and squid? allow all from any to any via lo0 For starters, read up in the Handbook on ipfw. You're really going to want to understand what you are doing. It may help to define your rules in English, then try and figure out the syntax for ipfw. You should look carefully at your network setup. I'm assuming you have a BSD box dual-homed to your ISP, and doing NAT for your LAN? Your loopback interface must always work, otherwise Bad Stuff(tm) will happen. That's the rule you have up there. After that, write out your rules in English: 1. I can connect to anything from the gateway/server. 2. Nothing can come in from outside. 2. No one else can connect to anything outside the gateway/server. 4. Everyone inside can connect to the gateway/server. Etc. After that, it's just a matter of figuring out ipfw's syntax. HTH, Kevin Kinsey P.S. You'll get some recommendations for other firewalls, too. Use which ever one makes sense to you :-) ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Squid reporting incorrect time
Hi guys, I've had my squid proxy running fine for quite some time now but just one thing bothers me. When a page cannot be displayed, the date and time showing on that page is incorrect even the the system date and time is correct. I've checked the squid.conf file in case there was something in there I was supposed to set but I can't find anything. I'm running FreeBSD 8.0-RELEASE and I'm still pretty new to it, I'm generally a GNU/Linux user. Cheers, Ty ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Squid reporting incorrect time
On Sun, 28 Feb 2010 09:07:27 +1030 Ty John (sand_man) ty...@eye-of-odin.com wrote: Hi guys, I've had my squid proxy running fine for quite some time now but just one thing bothers me. When a page cannot be displayed, the date and time showing on that page is incorrect even the the system date and time is correct. Works for me. Are you sure the error page is generated by your cache? Do you see your own hostname in the page? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Squid reporting incorrect time
On Sun, 28 Feb 2010 00:03:19 + RW rwmailli...@googlemail.com wrote: On Sun, 28 Feb 2010 09:07:27 +1030 Ty John (sand_man) ty...@eye-of-odin.com wrote: Hi guys, I've had my squid proxy running fine for quite some time now but just one thing bothers me. When a page cannot be displayed, the date and time showing on that page is incorrect even the the system date and time is correct. Works for me. Are you sure the error page is generated by your cache? Do you see your own hostname in the page? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Yes I'm 100% sure. I'll check out those others links Jon just posted. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Squid reporting incorrect time
On 2/27/10 7:59 PM, Ty John (sand_man) wrote: On Sun, 28 Feb 2010 00:03:19 + RWrwmailli...@googlemail.com wrote: On Sun, 28 Feb 2010 09:07:27 +1030 Ty John (sand_man)ty...@eye-of-odin.com wrote: Hi guys, I've had my squid proxy running fine for quite some time now but just one thing bothers me. When a page cannot be displayed, the date and time showing on that page is incorrect even the the system date and time is correct. Works for me. Are you sure the error page is generated by your cache? Do you see your own hostname in the page? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Yes I'm 100% sure. I'll check out those others links Jon just posted. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org He's referring to my mail where I mentioned: Try http://www.linuxreaders.com/2009/08/10/squid-change-timezone/ See also the distinction between %t and %T at http://wiki.squid-cache.org/Features/CustomErrors -- --Jon Radel j...@radel.com
Re: Squid reporting incorrect time
On Sat, 27 Feb 2010 20:06:31 -0500 Jon Radel j...@radel.com wrote: On 2/27/10 7:59 PM, Ty John (sand_man) wrote: On Sun, 28 Feb 2010 00:03:19 + RWrwmailli...@googlemail.com wrote: On Sun, 28 Feb 2010 09:07:27 +1030 Ty John (sand_man)ty...@eye-of-odin.com wrote: Hi guys, I've had my squid proxy running fine for quite some time now but just one thing bothers me. When a page cannot be displayed, the date and time showing on that page is incorrect even the the system date and time is correct. Works for me. Are you sure the error page is generated by your cache? Do you see your own hostname in the page? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org Yes I'm 100% sure. I'll check out those others links Jon just posted. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org He's referring to my mail where I mentioned: Try http://www.linuxreaders.com/2009/08/10/squid-change-timezone/ See also the distinction between %t and %T at http://wiki.squid-cache.org/Features/CustomErrors I got it working. Thanks for your help. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to freebsd-questions-unsubscr...@freebsd.org
Re: Transparent Proxy with IPFW + Squid 2.7
Cagri Ersen wrote: I want to configure a transparent proxy with IPFW and Squid. I enabled IPFW on a FreeBSD 7.0 and also install squid 2.7 I am running such a setup, but with pf. Works fine. Maybe it heplps pf rule I am using: demo=dc0 rdr on $demo proto tcp from any to any port 80 - 127.0.0.1 port 3128 Squid config file # Squid normally listens to port 3128 http_port 127.0.0.1:3128 transparent Greetings, O.K. -- Testi oma Interneti kiirust / Test Your Internet speed: http://speedtest.zzz.ee/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Transparent Proxy with IPFW + Squid 2.7
Cagri Ersen wrote: I want to configure a transparent proxy with IPFW and Squid. I enabled IPFW on a FreeBSD 7.0 and also install squid 2.7 I am running such a setup, but with pf. Works fine. Maybe it heplps pf rule I am using: demo=dc0 rdr on $demo proto tcp from any to any port 80 - 127.0.0.1 port 3128 Squid config file # Squid normally listens to port 3128 http_port 127.0.0.1:3128 transparent Greetings, O.K. -- Testi oma Interneti kiirust / Test Your Internet speed: http://speedtest.zzz.ee/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Transparent Proxy with IPFW + Squid 2.7
Ott Köstner wrote: Cagri Ersen wrote: I want to configure a transparent proxy with IPFW and Squid. I enabled IPFW on a FreeBSD 7.0 and also install squid 2.7 I am running such a setup, but with pf. Works fine. Maybe it helps Oh, before compiling Squid, in Squid port directory: # make config ? ?[X] SQUID_IPFW Enable transparent proxying with IPFW ? ? ? ?[X] SQUID_PF Enable transparent proxying with PF pf rule I am using: demo=dc0 rdr on $demo proto tcp from any to any port 80 - 127.0.0.1 port 3128 Squid config file # Squid normally listens to port 3128 http_port 127.0.0.1:3128 transparent Greetings, O.K. -- Testi oma Interneti kiirust / Test Your Internet speed: http://speedtest.zzz.ee/ ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Transparent Proxy with IPFW + Squid 2.7
Hi there, I want to configure a transparent proxy with IPFW and Squid. I enabled IPFW on a FreeBSD 7.0 and also install squid 2.7 this is content of my squid.conf: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl all src all acl localnet src 192.168.12.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet icp_access allow localnet icp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? access_log /usr/local/squid/logs/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 coredump_dir /usr/local/squid/cache And this is base IPFW rules. $cmd 00500 fwd 127.0.0.1,3128 $log tcp from any to any 80 in recv $lanif $cmd 02000 allow $log all from any to any As you can see, all packages which is destination port 80 forwarding to the squid's port (3128). with this configuration everything seems work fine. however if i deny all traffic on the last rule and then open desired ports or connections one by one then squid isn't work. Sample base denying rule set like this: $cmd 00010 allow all from any to any via lo0 $cmd 00015 check-state $cmd 00020 allow tcp from any to any established . $cmd 00021 deny all from any to any frag in via $adslif $cmd 00025 allow all from me to any keep-state $cmd 00050 allow tcp from table() to any keep-state $cmd 00500 fwd 127.0.0.1,3128 $log tcp from any to any 80 in recv $lanif $cmd 00600 allow all from $lan to any 53 $cmd 00602 allow udp from any 53 to any out via $lanif $cmd 00603 allow udp from any 53 to any in via $adslif $cmd 01500 allow all from $lan to any 443,25,110 keep-state $cmd 02000 deny $log all from any to any As i said, if i run IPFW with this rules, my client doesn't surf on the internet. And also i didn't seen anything about denying on the ipfw log file. Also there is no activity on squid log files. I think forwarding rule didn't work with that conf. So please can somebody tell me what's wrong in this situation ? Thanks in advance for your help. -- Cagri Ersen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Transparent Proxy with IPFW + Squid 2.7
On Nov 23, 2008, at 2:30 PM, Cagri Ersen wrote: Hi there, I want to configure a transparent proxy with IPFW and Squid. I enabled IPFW on a FreeBSD 7.0 and also install squid 2.7 this is content of my squid.conf: acl manager proto cache_object acl localhost src 127.0.0.1/32 acl to_localhost dst 127.0.0.0/8 acl all src all acl localnet src 192.168.12.0/24 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access allow localnet icp_access allow localnet icp_access deny all http_port 3128 transparent hierarchy_stoplist cgi-bin ? access_log /usr/local/squid/logs/access.log squid refresh_pattern ^ftp: 144020% 10080 refresh_pattern ^gopher:14400% 1440 refresh_pattern (cgi-bin|\?)0 0% 0 refresh_pattern . 0 20% 4320 icp_port 3130 coredump_dir /usr/local/squid/cache And this is base IPFW rules. $cmd 00500 fwd 127.0.0.1,3128 $log tcp from any to any 80 in recv $lanif $cmd 02000 allow $log all from any to any As you can see, all packages which is destination port 80 forwarding to the squid's port (3128). with this configuration everything seems work fine. however if i deny all traffic on the last rule and then open desired ports or connections one by one then squid isn't work. Sample base denying rule set like this: $cmd 00010 allow all from any to any via lo0 $cmd 00015 check-state $cmd 00020 allow tcp from any to any established . $cmd 00021 deny all from any to any frag in via $adslif $cmd 00025 allow all from me to any keep-state $cmd 00050 allow tcp from table() to any keep-state $cmd 00500 fwd 127.0.0.1,3128 $log tcp from any to any 80 in recv $lanif $cmd 00600 allow all from $lan to any 53 $cmd 00602 allow udp from any 53 to any out via $lanif $cmd 00603 allow udp from any 53 to any in via $adslif $cmd 01500 allow all from $lan to any 443,25,110 keep-state $cmd 02000 deny $log all from any to any As i said, if i run IPFW with this rules, my client doesn't surf on the internet. And also i didn't seen anything about denying on the ipfw log file. Also there is no activity on squid log files. I think forwarding rule didn't work with that conf. So please can somebody tell me what's wrong in this situation ? Thanks in advance for your help. -- Cagri Ersen ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] Don't you need a rule allow connections to port 80? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Trying to build Squid 3.0.8
When I try to build Squid it stops with the following: - mv -f $depbase.Tpo $depbase.Po; else rm -f $depbase.Tpo; exit 1; fi neighbors.cc: In function 'void dump_peer_options(StoreEntry*, peer*)': neighbors.cc:1612: error: 'struct _peer::anonymous' has no member named 'carp' *** Error code 1 Stop in /usr/ports/www/squid30/work/squid-3.0.STABLE8/src. *** Error code 1 Stop in /usr/ports/www/squid30/work/squid-3.0.STABLE8/src. *** Error code 1 Stop in /usr/ports/www/squid30/work/squid-3.0.STABLE8/src. *** Error code 1 Stop in /usr/ports/www/squid30/work/squid-3.0.STABLE8. *** Error code 1 Stop in /usr/ports/www/squid30. *** Error code 1 Stop in /usr/ports/www/squid30. *** Error code 1 Stop in /usr/ports/www/squid30. - Any clues on how I get around this. I tried with squid-3.0.7 last week and it went well, now squid is uppgraded to 3.0.8 and it wont build on the same machine! Thanks /Leslie http://www.spreadbsd.org/aff/162/3 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Trying to build Squid 3.0.8
Leslie Jensen skrev: When I try to build Squid it stops with the following: - mv -f $depbase.Tpo $depbase.Po; else rm -f $depbase.Tpo; exit 1; fi neighbors.cc: In function 'void dump_peer_options(StoreEntry*, peer*)': neighbors.cc:1612: error: 'struct _peer::anonymous' has no member named 'carp' *** Error code 1 Stop in /usr/ports/www/squid30/work/squid-3.0.STABLE8/src. *** Error code 1 Stop in /usr/ports/www/squid30/work/squid-3.0.STABLE8/src. *** Error code 1 Stop in /usr/ports/www/squid30/work/squid-3.0.STABLE8/src. *** Error code 1 Stop in /usr/ports/www/squid30/work/squid-3.0.STABLE8. *** Error code 1 Stop in /usr/ports/www/squid30. *** Error code 1 Stop in /usr/ports/www/squid30. *** Error code 1 Stop in /usr/ports/www/squid30. - Any clues on how I get around this. I tried with squid-3.0.7 last week and it went well, now squid is uppgraded to 3.0.8 and it wont build on the same machine! Thanks /Leslie http://www.spreadbsd.org/aff/162/3 Answering my own post! SQUID_CARP must be marked in make config. /Les ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
FreeBSD, Squid, Active Directory integration
I am searching for a way to passthru (not prompt the user for authentication) a Windows users' Active Directory credentials to Squid running on FreeBSD. With this AD info I can ACL where the user can go and have their individual usage logged All the HOWTO's I found seem to require a manual authentication though. I would prefer this to other alternatives ($) which can do this natively, Window ISA server being one of these products. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Portsnap behind proxy squid not update
I have a proxy (squid) that gives Internet to a set of pcs, one of them is a FreeBSD 6.2, when wanting to upgrade ports ( portsnap fetch) gives me the messages following: PC1 # fetch portsnap Did you mean (and actually type) 'portsnap fetch'? I wrong to write But I fail to upgrade ports, then modify the file. cshrc and leave it well # ee. cshrc setenv HTTP_PROXY http://10.0.1.1:3128 No need to specify the port in your case; 3128 is default for HTTP_PROXY. Does your proxy server require authentication? If so, you need to specify authorization parameters as outlined in man fetch(3). setenv FTP_PROXY ftp://10.0.1.1:3128 setenv FTP_PASSIVE_MODE ftp://10.0.1.1:3128 My proxy not require authentication. BTW, although FTP_PASSIVE_MODE is enabled by setting it to anything other than 'no', you probably want to set it to something logical like YES instead of just re-listing the proxy URL. :-) Sorry, I do not understand ( I am using a tool Translation ) Meet as debug to solve the problem? Thanks ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Portsnap behind proxy squid not update
Hi I have a proxy (squid) that gives Internet to a set of pcs, one of them is a FreeBSD 6.2, when wanting to upgrade ports ( portsnap fetch) gives me the messages following: PC1 # fetch portsnap Looking up portsnap.FreeBSD.org Mirrors ... 4 Mirrors found. Fetching snapshot tag from portsnap2.FreeBSD.org ... Failed. Fetching snapshot tag from portsnap1.FreeBSD.org ... Failed. Fetching snapshot tag from portsnap3.FreeBSD.org ... Failed. Fetching snapshot tag from portsnap4.FreeBSD.org ... Failed. No mirrors remaining, giving up. Look for documentation and establish indicated in the parameter ftp_proxy / etc / make.conf and leave it like this: # ee / etc / make.conf FETCH_ENV = = FTP_PROXY 10.0.1.1:3128 FETCH_ENV HTTP_PROXY = = 10.0.1.1:3128 But I fail to upgrade ports, then modify the file. cshrc and leave it well # ee. cshrc setenv HTTP_PROXY http://10.0.1.1:3128 setenv FTP_PROXY ftp://10.0.1.1:3128 setenv FTP_PASSIVE_MODE ftp://10.0.1.1:3128 But nothing, so we appeal to your experience to give any suggestions. Thanks. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Portsnap behind proxy squid not update
Edgardo Nuevo [EMAIL PROTECTED] wrote: I have a proxy (squid) that gives Internet to a set of pcs, one of them is a FreeBSD 6.2, when wanting to upgrade ports ( portsnap fetch) gives me the messages following: PC1 # fetch portsnap Did you mean (and actually type) 'portsnap fetch'? [...] But I fail to upgrade ports, then modify the file. cshrc and leave it well # ee. cshrc setenv HTTP_PROXY http://10.0.1.1:3128 No need to specify the port in your case; 3128 is default for HTTP_PROXY. Does your proxy server require authentication? If so, you need to specify authorization parameters as outlined in man fetch(3). setenv FTP_PROXY ftp://10.0.1.1:3128 setenv FTP_PASSIVE_MODE ftp://10.0.1.1:3128 BTW, although FTP_PASSIVE_MODE is enabled by setting it to anything other than 'no', you probably want to set it to something logical like YES instead of just re-listing the proxy URL. :-) -- Sahil Tandon [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
squid hello write test failed
Dear All This is a amd64 box with FreeBSD 6.3. So far it is only acting as a firewall (with PF). Yesterday I installed squid via ports with a pretty vanilla configuration. I.e. no neighbour caches, just to be used as a standalone cache for users from the inside net. No interception caching (yet). Squid was not yet put under heavy load - in fact I am so far the only person using it. Everything worked fine yesterday. However, squid died after squid -k rotate was executed by cron over night. Here is what it came up with after (successful) log rotation: 2008/04/23 04:20:00| storeDirWriteCleanLogs: Starting... 2008/04/23 04:20:00| Finished. Wrote 1706 entries. 2008/04/23 04:20:00| Took 0.0 seconds (1714572.9 entries/sec). 2008/04/23 04:20:00| aioSync: flushing pending I/O operations 2008/04/23 04:20:00| aioSync: done 2008/04/23 04:20:00| logfileRotate: /usr/local/squid/logs/access.log 2008/04/23 04:20:00| sendto FD 12: (1) Operation not permitted 2008/04/23 04:20:00| ipcCreate: CHILD: hello write test failed Squid was running and accepting connections on port 3128, but they were not carried out any longer. I then killed squid (actually I needed kill -9 to bring it down) and made sure no more squid processes are running. But now, every time I try to start squid - manually, or via rc.d - I get the same messages as above. The FD number varies, but everything else stays the same. There were no other changes made on the machine in between that I am aware of. What is going on here? Regards Tobias FWIW, here is my config: cache_log /usr/local/squid/logs/cache.log cache_access_log /usr/local/squid/logs/access.log cache_store_log none connect_timeout 2 minutes log_fqdn on cache_effective_user squid http_port 3128 acl all src 0.0.0.0/0.0.0.0 acl manager proto cache_object acl localhost src 127.0.0.1/255.255.255.255 acl to_localhost dst 127.0.0.0/8 acl SSL_ports port 443 acl Safe_ports port 80 # http acl Safe_ports port 21 # ftp acl Safe_ports port 443 # https acl Safe_ports port 70 # gopher acl Safe_ports port 210 # wais acl Safe_ports port 1025-65535 # unregistered ports acl Safe_ports port 280 # http-mgmt acl Safe_ports port 488 # gss-http acl Safe_ports port 591 # filemaker acl Safe_ports port 777 # multiling http acl CONNECT method CONNECT http_access allow manager localhost http_access deny manager http_access deny !Safe_ports http_access deny CONNECT !SSL_ports http_access deny to_localhost acl inside_net src xxx.xxx.xxx.0/24 http_access allow inside_net http_access allow localhost http_access deny all cache_mgr [EMAIL PROTECTED] maximum_object_size 32 MB cache_replacement_policy heap LFUDA cache_dir aufs /usr/local/squid/cache 32768 32 256 ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Restart Squid proxy server
Hallo, How to restart the squid proxy server in freebsd? Thanks... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Restart Squid proxy server
Hallo, How to restart the squid proxy server in freebsd? Thanks... Use the following command /usr/local/etc/rc.d/squid restart Regards, Johan Hendriks Double L Automatisering ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Does softupdate help squid ?
On Mon, 17 Mar 2008 12:26:11 -0400 Christopher Sean Hilton [EMAIL PROTECTED] wrote: Thanks for the enlightenment. My understanding is that Squid can do both forward and reverse proxy. At least it it would seem so since that's the way I'm using it. I did not know that varnish cannot be used as a forward proxy though. As I said before, varnish is on my list of things to investigate since it seems to have a much more modern design than squid. Varnish does look very interesting (specially the configuration side of things). But, as you point out, it seems a more specific than Squid (or squid more flexible, whatever :) ). btw, does Squid 3 finally implement ESI? B _ {Beto|Norberto|Numard} Meijome Everything should be made as simple as possible, but not simpler. Albert Einstein I speak for myself, not my employer. Contents may be hot. Slippery when wet. Reading disclaimers makes you go blind. Writing them is worse. You have been Warned. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Does softupdate help squid ?
Hello I'm setting up a squid cache (3.0.2) machine FreeBSD 7.0 based and I wonder if softupdates could help (make it faster ) or not the cache partition ? Thanks a lot ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Does softupdate help squid ?
On Mon, 17 Mar 2008 09:51:58 +0100 Frank Bonnet [EMAIL PROTECTED] wrote: Hello I'm setting up a squid cache (3.0.2) machine FreeBSD 7.0 based and I wonder if softupdates could help (make it faster ) or not the cache partition ? Yes, use soft-updates. And you should mount any dedicated cache partitions as noatime. It's also a good idea to build in aufs support and use that in your cache_dir entry, instead of the standard ufs cache type which blocks on disk i/o. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Does softupdate help squid ?
On Mar 17, 2008, at 4:51 AM, Frank Bonnet wrote: Hello I'm setting up a squid cache (3.0.2) machine FreeBSD 7.0 based and I wonder if softupdates could help (make it faster ) or not the cache partition ? I can't imagine that it would hurt. Last I looked though squid may not be the best tool for this job. Poul Henning-Kamp has written an http accelerator called varnish. I'll start by saying that implementing varnish is on list of things to do so my experience is purely anecdotal. No that I've said that, the feature that grabbed my attention was the fact that it's written to modern unix. If I understand what I read correctly this means that varnish eschews squids separation of the cache into a fast cache in memory and a slow cache on disk. Instead varnish uses a big memory mapped file allowing the operating system to manage which cache objects are in memory and which ones are on disk. On FreeBSD at least that would seem to me to be a bigger performance win than softupdates. -- Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Does softupdate help squid ?
Squid is a forward proxy whereas varnish is just a reverse proxy So you can not use it for for lan to wan proxy! Regards, Johan -Oorspronkelijk bericht- Van: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Namens Christopher Sean Hilton Verzonden: maandag 17 maart 2008 12:41 Aan: Frank Bonnet Onderwerp: Re: Does softupdate help squid ? On Mar 17, 2008, at 4:51 AM, Frank Bonnet wrote: Hello I'm setting up a squid cache (3.0.2) machine FreeBSD 7.0 based and I wonder if softupdates could help (make it faster ) or not the cache partition ? I can't imagine that it would hurt. Last I looked though squid may not be the best tool for this job. Poul Henning-Kamp has written an http accelerator called varnish. I'll start by saying that implementing varnish is on list of things to do so my experience is purely anecdotal. No that I've said that, the feature that grabbed my attention was the fact that it's written to modern unix. If I understand what I read correctly this means that varnish eschews squids separation of the cache into a fast cache in memory and a slow cache on disk. Instead varnish uses a big memory mapped file allowing the operating system to manage which cache objects are in memory and which ones are on disk. On FreeBSD at least that would seem to me to be a bigger performance win than softupdates. -- Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Does softupdate help squid ?
On Mar 17, 2008, at 11:51 AM, Johan Hendriks wrote: Squid is a forward proxy whereas varnish is just a reverse proxy So you can not use it for for lan to wan proxy! Thanks for the enlightenment. My understanding is that Squid can do both forward and reverse proxy. At least it it would seem so since that's the way I'm using it. I did not know that varnish cannot be used as a forward proxy though. As I said before, varnish is on my list of things to investigate since it seems to have a much more modern design than squid. -- Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Does softupdate help squid ?
Hello I'm setting up a squid cache (3.0.2) machine FreeBSD 7.0 based and I wonder if softupdates could help (make it faster ) or not the cache partition ? i would say it's absolutely needed. anyway - any reason to not use soft updates on every filesystem? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Does softupdate help squid ?
On Monday 17 March 2008 19:17:58 Wojciech Puchar wrote: Hello I'm setting up a squid cache (3.0.2) machine FreeBSD 7.0 based and I wonder if softupdates could help (make it faster ) or not the cache partition ? i would say it's absolutely needed. anyway - any reason to not use soft updates on every filesystem? What exactly is a soft update? ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: Does softupdate help squid ?
On Mon, Mar 17, 2008 at 07:34:04PM +, Pollywog wrote: On Monday 17 March 2008 19:17:58 Wojciech Puchar wrote: Hello I'm setting up a squid cache (3.0.2) machine FreeBSD 7.0 based and I wonder if softupdates could help (make it faster ) or not the cache partition ? i would say it's absolutely needed. anyway - any reason to not use soft updates on every filesystem? What exactly is a soft update? It's a bit like a hard update, but it won't hurt your disks as much if your system crashes... ;-P On a more serious note, it's a technique for ensuring the integrity of disks after a system crash or power failure. Like journalling, they don't guarantee data won't be lost, but instead that the disks will be in a consistent state at recovery. There are many many papers on the subject on the web, if you're interested. Dan -- Daniel Bye _ ASCII ribbon campaign ( ) - against HTML, vCards and X - proprietary attachments in e-mail / \ pgpUrSxD2B4H7.pgp Description: PGP signature
Re: Does softupdate help squid ?
On Mar 17, 2008, at 4:14 PM, Daniel Bye wrote: On Mon, Mar 17, 2008 at 07:34:04PM +, Pollywog wrote: On Monday 17 March 2008 19:17:58 Wojciech Puchar wrote: i would say it's absolutely needed. anyway - any reason to not use soft updates on every filesystem? What exactly is a soft update? It's a bit like a hard update, but it won't hurt your disks as much if your system crashes... ;-P On a more serious note, it's a technique for ensuring the integrity of disks after a system crash or power failure. Like journalling, they don't guarantee data won't be lost, but instead that the disks will be in a consistent state at recovery. Soft updates is a means of re-ordering the writes to a filesystem such that the complete filesystem, both data and meta data, remains reasonably consistent during the writing process. This consistency is necessary insurance in case of a system crash or power failure during the writing process. Soft updates seeks to re-order the writes in such a way that the filesystem can be safely recovered by an automatic fsck process when the system is restarted. At the same time soft updates works to maintain high system performance . Previous to soft updates you could either mount the filesystem synchronously or asynchronously. With Synchronous mounts the filesystem meta data writes were handled before data writes. This caused excessive and expensive seeking from the disk mechanism as it moved from one part of the disk to update the meta-data to the other part of the disk to write the application data. With an asynchronous mount the kernel was free to perform the writes in the order most beneficial for performance but if the system crashed in the middle of a write one could expect a very difficult situation for fsck to fix. My squid is on OpenBSD. My cache partition is spread across two spindles of a drive provided by the ccd driver mounted either asynchronously or with soft updates. Either way is fine because if my squid machine were to crash so hard that the cache partition was toast it wouldn't take but 10 minutes rebuild the filesystem from scratch and use squid -z to reinitialize it. For me there's really no data on there worthy of softupdates. -- Chris ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
PF connection pool + squid 3 oddity
Hello, I have very odd problem with pf connection pool(2 ISPs) and squid 3. Just to mention, I support 3 other networks without connection pool. All of them work using squid and pf but do not use connection pool. If I setup my browser to use proxy (e.g. gateway port 3128), all traffic passes through squid. If I use rdr rule (as I should) I am unable to browse web. My question is what is the difference between the request from browser instructed to use proxy, and the rdr rule of pf. Why are my requests dying? I will not attach squid.conf since I have changed just the allowed network and have added transparent.Here is my sample pf.conf: lan_net = 192.168.0.0/24 int_if = rl0 ext_if1 = dc0 ext_if2 = rl1 ext_gw1 = X1 ext_gw2 = X2 local_host = 127.0.0.1 # define ports ports_in = {9000} ports_out = {21, 25, 53, 80, 110, 443, 1863, 1194, 5190, 5222, 9000} # define allowed hosts table allowed persist file /etc/allowed # skip l0 set skip on lo0 # default block policy set block-policy drop # normalize packets scrub in all fragment reassemble # squid it #rdr on $int_if inet proto tcp to port 80 - $local_host port 3128 # nat outgoing connections on each internet interface # nat on $ext_if1 from $lan_net to any - ($ext_if1) # nat on $ext_if2 from $lan_net to any - ($ext_if2) nat on $ext_if1 from allowed to any - ($ext_if1) nat on $ext_if2 from allowed to any - ($ext_if2) # spoof protection antispoof quick for {$int_if, $ext_if1, $ext_if2} # default deny block in log from any to any block out log from any to any # pass all outgoing packets on internal interface pass out on $int_if from any to $lan_net # pass in quick any packets destined for the gateway itself pass in quick on $int_if from $lan_net to $int_if pass out quick on $int_if from $int_if to $lan_net # load balance outgoing tcp traffic from internal network. pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto tcp from $lan_net to any flags S/SA modulate state # load balance outgoing udp and icmp traffic from internal network pass in on $int_if route-to \ { ($ext_if1 $ext_gw1), ($ext_if2 $ext_gw2) } round-robin \ proto { udp, icmp } from $lan_net to any keep state # general pass in rules for external interfaces pass in on $ext_if1 proto tcp from any to $ext_if1 port $ports_in pass in on $ext_if2 proto tcp from any to $ext_if2 port $ports_in # general pass out rules for external interfaces pass out on $ext_if1 proto tcp from any to any port $ports_out flags S/SA modulate state pass out on $ext_if1 proto udp from any to any port $ports_out keep state pass out on $ext_if1 proto icmp from any to any keep state pass out on $ext_if2 proto tcp from any to any port $ports_out flags S/SA modulate state pass out on $ext_if2 proto udp from any to any port $ports_out keep state pass out on $ext_if2 proto icmp from any to any keep state # route packets from any IPs on $ext_if1 to $ext_gw1 and the same for # $ext_if2 and $ext_gw2 pass out on $ext_if1 route-to ($ext_if2 $ext_gw2) from $ext_if2 to any pass out on $ext_if2 route-to ($ext_if1 $ext_gw1) from $ext_if1 to any Thanks in advance. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Squid with a Net nanny type setup....
Thanks for the advice, I've noticed dansguardian and looked into it a little bit, I've also blocked some words which works but doesn't work because it kills some legitimate pages. I've also tossed around the idea with my Fiancé about locking them down to certain websites, but that is problematic with doing some school work (kids are 9 and 11) I think what bothers me most is them stumbling across something. Say they are curious what the word milf means and they search for it... that would be an eye opener! So right now I have a list of words that are blocked from URLS and a large number of sites blacklisted gathered from other peoples lists scavenged from google. Thanks for the replies, Tony PS squid is a very cool thing, and I can use MRTG to gather data and display it, but it does seem to have some performance hit with surfing, I moved it from my dually Pentium Pro 200 to my Dual p3 1Ghz and that made a difference, now I just need some speedy Sata disks and a good Sata controller. -Original Message- From: Ted Mittelstaedt [mailto:[EMAIL PROTECTED] Sent: Sunday, November 25, 2007 12:40 AM To: Murray Taylor; Tony; freebsd-questions@freebsd.org Subject: RE: Squid with a Net nanny type setup Or much better yet, do it the way I do it. Load Squid, setup the kids system to use it, then setup squid to only allow the kids to go to a list of sites. As my kids learn about interesting sites they want to go to, -I- visit those sites, and if I decide they are OK, I put them in the approved list. Stuff like dansguardian is, in my opinion, for lazy parents who want to hand off their parental responsibilities to other people. The other thing is that by the time the kid is 14-15 they should be mature enough to make their own choices and deal with what they find. At that time, if your still having to run filtering software, you better turn off Internet access completely and schedule your kid in with some sessions with a psychologist, as seriously, he's got a problem. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Murray Taylor Sent: Thursday, November 22, 2007 4:59 PM To: Tony; freebsd-questions@freebsd.org Subject: RE: Squid with a Net nanny type setup look at dansguardian its in the ports and is excellent for kid-management mjt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Sent: Friday, 23 November 2007 4:34 AM To: freebsd-questions@freebsd.org Subject: Squid with a Net nanny type setup Is there a big list if inappropriate websites somewhere that I can build into squid to keep my kids out of Adult websites? If not squid is there a better Proxy to use on my FreeBSD firewall for that purpose? Thanks, Tony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] --- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --- ### This e-mail message has been scanned for Viruses by Bytecraft ### ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Squid with a Net nanny type setup....
-Original Message- From: Tony [mailto:[EMAIL PROTECTED] Sent: Sunday, November 25, 2007 9:10 AM To: 'Ted Mittelstaedt'; 'Murray Taylor'; freebsd-questions@freebsd.org Subject: RE: Squid with a Net nanny type setup Thanks for the advice, I've noticed dansguardian and looked into it a little bit, I've also blocked some words which works but doesn't work because it kills some legitimate pages. I've also tossed around the idea with my Fiancé about locking them down to certain websites, but that is problematic with doing some school work (kids are 9 and 11) I think what bothers me most is them stumbling across something. Well I have a 9 year old boy myself, I would never allow him to do school research on the Internet unsupervised. The only research access on the Internet he has is access to the online Encyclopedia Americana. At 9 years old their brains aren't developed enough to handle it. As for the 11 year old, at 11 years old I myself had a stack of Playboys and Oui under my bed, Oui had full on twat shots and all that. Actually the Playboys were excellent reading material - I learned all about Scientology and cults from reading the Playboy interviews with Ted Patrick AKA Black Lightning, see: http://en.wikipedia.org/wiki/Ted_Patrick It served me very well a few years later in High School as I was to run into many Born Again Christians programmed by their particular churchs so I recognized the mental affliction immediately. And then again a few years later when in my mid 20's through no intent on my part I ended up getting a job with a company that I eventually discovered was a Church of Scientology front. The owners of that company are in jail at the current time, convicted of securities fraud (years after I left that company) And yes, when I was there, they did attempt to get me sucked into the cult of Scientology... Believe me, to this day my parents know as much about cults as they know about the WWII Japanese atrocities against the Chinese, which is to say - about nothing. I think sometime when I was 15 or so my Mom decided to clean out my room and found and tossed out all my porno mags. It was a sad day. :-( This was long after junior high school sex ed class so it saved both of us the embarassment of her finding out I knew more about sex than she did. ;-) You really need to concentrate on laying the firm sense of right and wrong, and forget about worrying about the nekkid pictures he or she may come across. For all my early exposure, I didn't get laid until I was 17. Just because you understand how the plumbing works doesen't mean that you just toss out your sense of right and wrong. Say they are curious what the word milf means and they search for it... that would be an eye opener! So right now I have a list of words that are blocked from URLS and a large number of sites blacklisted gathered from other peoples lists scavenged from google. Well, there is something to be said for the idea that if you make it taboo you make it more attractive. Ted ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Squid with a Net nanny type setup....
Or much better yet, do it the way I do it. Load Squid, setup the kids system to use it, then setup squid to only allow the kids to go to a list of sites. As my kids learn about interesting sites they want to go to, -I- visit those sites, and if I decide they are OK, I put them in the approved list. Stuff like dansguardian is, in my opinion, for lazy parents who want to hand off their parental responsibilities to other people. The other thing is that by the time the kid is 14-15 they should be mature enough to make their own choices and deal with what they find. At that time, if your still having to run filtering software, you better turn off Internet access completely and schedule your kid in with some sessions with a psychologist, as seriously, he's got a problem. Ted -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] Behalf Of Murray Taylor Sent: Thursday, November 22, 2007 4:59 PM To: Tony; freebsd-questions@freebsd.org Subject: RE: Squid with a Net nanny type setup look at dansguardian its in the ports and is excellent for kid-management mjt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Sent: Friday, 23 November 2007 4:34 AM To: freebsd-questions@freebsd.org Subject: Squid with a Net nanny type setup Is there a big list if inappropriate websites somewhere that I can build into squid to keep my kids out of Adult websites? If not squid is there a better Proxy to use on my FreeBSD firewall for that purpose? Thanks, Tony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] --- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --- ### This e-mail message has been scanned for Viruses by Bytecraft ### ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
RE: Squid with a Net nanny type setup....
look at dansguardian its in the ports and is excellent for kid-management mjt -Original Message- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED] On Behalf Of Tony Sent: Friday, 23 November 2007 4:34 AM To: freebsd-questions@freebsd.org Subject: Squid with a Net nanny type setup Is there a big list if inappropriate websites somewhere that I can build into squid to keep my kids out of Adult websites? If not squid is there a better Proxy to use on my FreeBSD firewall for that purpose? Thanks, Tony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] --- The information transmitted in this e-mail is for the exclusive use of the intended addressee and may contain confidential and/or privileged material. Any review, re-transmission, dissemination or other use of it, or the taking of any action in reliance upon this information by persons and/or entities other than the intended recipient is prohibited. If you received this in error, please inform the sender and/or addressee immediately and delete the material. E-mails may not be secure, may contain computer viruses and may be corrupted in transmission. Please carefully check this e-mail (and any attachment) accordingly. No warranties are given and no liability is accepted for any loss or damage caused by such matters. --- ### This e-mail message has been scanned for Viruses by Bytecraft ### ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Squid with a Net nanny type setup....
Is there a big list if inappropriate websites somewhere that I can build into squid to keep my kids out of Adult websites? If not squid is there a better Proxy to use on my FreeBSD firewall for that purpose? Thanks, Tony ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: SQUID 2.6 disk usage didn't grow HELP
Hi Narek, Narek Gharibyan wrote: I set squid 2.6 transparent proxy with default settings on P4 2000 RAM 512/ 80GB HDD. I change only Which exact 2.6 version of Squid are you using? Which FreeBSD version are you running on your machine? cache_mem 128 MB cache_dir ufs /usr/local/squid/cache 40960 16 256 Squid works normally and do caching. It takes 300Mb RAM, and about 3GB HDD space, but it DOESN'T use more space. Squid works about 15 days without any restart and it use only 3GB space and the cache size didn't grow. Is it normal? I want to use more HDD cache Please advice That's strange. Can you post the full output of squidclient mgr:info and squidclient mgr:storedir ? Thank you in advance Thanking you... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np http://teklimbu.wordpress.com ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
SQUID 2.6 disk usage didn't grow HELP
I set squid 2.6 transparent proxy with default settings on P4 2000 RAM 512/ 80GB HDD. I change only cache_mem 128 MB cache_dir ufs /usr/local/squid/cache 40960 16 256 Squid works normally and do caching. It takes 300Mb RAM, and about 3GB HDD space, but it DOESN'T use more space. Squid works about 15 days without any restart and it use only 3GB space and the cache size didn't grow. Is it normal? I want to use more HDD cache Please advice Thank you in advance ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
Re: My Proxy Server(Squid) in FreeBSD 5.4 used to be hang
Hi Prakash, Prakash Poudyal wrote: Hello Everybody, I have IBM Server which consists of FreeBSD 5.4 and its consist of Squid for running proxy server. After running for 2 or 3 days it canonot be ping the server and also does provide the service but you know when I go and access that server directly it start to work. It would not be hang , it start to work. I donot what is its problem. So please could give me some idea related to it. Without providing some technical aspects of your server and squid configurations, it's difficult for us to help you resolve your problems. Are you running squid transparently? Please post your squid.conf and the output of sysctl -A. Also describe your network topology. Are you running some kind of firewall in your Squid box? What's the output from the command: netstat -m What does your cache.log and access.log say? Thanking you... ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED] -- With best regards and good wishes, Yours sincerely, Tek Bahadur Limbu System Administrator (TAG/TDG Group) Jwl Systems Department Worldlink Communications Pvt. Ltd. Jawalakhel, Nepal http://www.wlink.com.np ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]
My Proxy Server(Squid) in FreeBSD 5.4 used to be hang
Hello Everybody, I have IBM Server which consists of FreeBSD 5.4 and its consist of Squid for running proxy server. After running for 2 or 3 days it canonot be ping the server and also does provide the service but you know when I go and access that server directly it start to work. It would not be hang , it start to work. I donot what is its problem. So please could give me some idea related to it. ___ freebsd-questions@freebsd.org mailing list http://lists.freebsd.org/mailman/listinfo/freebsd-questions To unsubscribe, send any mail to [EMAIL PROTECTED]